I think what you really want is to use HTTP POST instead of HTTP GET, and then you won't be seeing the user and password in the browser. It doesn't, however, make it more secure.