many of our business applications dont have seperate usernames/passwords, are integrated with active directory, i.e. "windows authentication". I have noticed for many of our apps the login process is done over HTTP. when you login to an app via windows authentication, does that mean your domain password is sent clear text over the network plain text, or would it be some sort of representation of your password that is sent to the app server/DB server (i.e. hash?). is it basically a backend SQL server DB that determines access, i.e. are you in the server logins either by a SQL login or a windows authenticaiton account. I am not from a development background but I beleive most of thse apps were built with asp.net.