If that provides security really depends on what the "bad guys" are hooking. If they're placing event triggers straight onto text box/button/form elements themselves (either through JavaScript or grabbing something akin to Win32 messages) then that wouldn't do anything at all.
Even if they did grab the raw POST request (which is somewhat common) a hash would only provide security if it was merged with an anti-forgery token sent from the server, otherwise the "bad guy" could just re-post the exact same hash and login anyway.
I think it really boils down to how popular your site is. If for example Facebook did that, because it is popular enough with the "bad guys" they're going to spend the time circumventing any JavaScript-based security you could implement.
Not a single company I worked for.
I guess it's simply because JS doesn't include hashing, whereas PHP it's simply a matter of calling sha1().
But it is pretty easy to include, I guess people just don't think about it.
If that provides security really depends on what the "bad guys" are hooking. If they're placing event triggers straight onto text box/button/form elements themselves (either through JavaScript or grabbing something akin to Win32 messages) then that wouldn't do anything at all.
Even if they did grab the raw POST request (which is somewhat common) a hash would only provide security if it was merged with an anti-forgery token sent from the server, otherwise the "bad guy" could just re-post the exact same hash and login anyway.
I think it really boils down to how popular your site is. If for example Facebook did that, because it is popular enough with the "bad guys" they're going to spend the time circumventing any JavaScript-based security you could implement.