Using JavaScript to hash the password before sending over the wire is the very least I would expect. It would be nicer yet if you used CRAM-MD5, HTTP Digest, or SSL (experts have spend thousands of hours pouring over the security implications of these protocols).
You absolutely must use salt. If you do not the passwords are easily reversed using rainbow tables. A very simple salt that works fairly well, have the server send a random salt with the page. MD5 the password, then MD5 the first hash and the salt together. On the server side you can store the MD5 password, and run a quick MD5 on the stored hash and the salt from the page; compare and authenticate appropriately. This sort of salt is known as a nonce. You should also add a long realm salt to both the original password and the one stored on the server.
So a "good" way to go (short of SSL and the others mentioned above) is:
A = MD5 ( Password + Realm)
B = MD5 ( A + Nonce)
Send B over the wire. Keep A stored on the server. When setting A in the first place use a simple reversible encryption like ROT or XOR. Personally I would consider anything less than this irresponsible because so many users foolishly use the exact same password for darn near everything (even Jeff - site founder - has done this).