There are some rules on how to handle passwords etc.
But what can you do, when there is no encrypted communication and you need to verify a password?
For example: Game starts and the user wants to log in to play online. The player enters Password and Username. How do you send it to the server, that some packet sniffing crackers won't get it?
Maybe this way: Server sends a one-time question to the client, client hashes the answer with the hash of the entered and salted password and sends it to the server. Server knows the answer and also hashes it with the hash of the password. So everything the sniffer gets are one-time valid logins.
Should be safe, shouldn't it?