After a lot of research and looking through code snippets I ended up realizing that no matter what kind of protection I implemented at the client side (hashing in Javascript, requesting nonces etc.) the sense of added security would just be an illusion. Sure, it wouldn't hurt but I keep on getting back to the "security through obscurity" quote.
Maybe there is a way to create a smart, simple way to authenticate users and protect credentials without using HTTPS/SSL but I haven't been able to find it (and I definitely don't have the coding skills to figure it out on my own).
I think I'll just get on the SSL bandwagon and save myself a lot of time and trouble.