hmm - isn't the CGI-password transmission kinda secure if you channel it thru SSL? and why not use some of the standard encryption modules to en-/decrypt data before/after writing/reading it to/from the DB? (doesn't help much if you can't secure the server, though!)