Client -> Password is MD5 hashed (once) using JS -> Password sent to server -> Script adds salt and hashes MD5 again.