When handling sensible information in the internet it has become common to verify users by a combination of password and username. More often than not the first communication between a web service and a new user is the registration. Therefore this point of exchange is quite vulnerable for many kind of attacks (man-in-the-middle, spoofing, knock-back,..), mostly with the goal to fetch the registration data for a third party.
The first step towards countering such methods is to establish a somewhat secure channel before requesting any detailed data from the user, but passwords must be verified and for that they have to be transmitted. Besides https and ssh there are many other protocols that increase the overall security, but still submitting passwords in plain is not an option for various reasons.
What is the best way to establish a secure handshake between webservices and users? or how can they both agree on one password without the need to sent it?