Well, I used "as secure as unecrypted" to say it's 0% secure ..

If you can coordinate development with the server side programmer, you can use the following pattern to authenticate users and http calls:

To create and save credentials, you initially should:

input userName ( min 4 chars )
input password ( min 8 chars )

initHash = sha256( password + UserName )

Server:

receives from the new client:

-UserName
-initHash

then calculate:

dbSalt = guid()
dbHash = sha256( initHash+ dbSalt )

Save on your DB:

userName
dbHash
dbSalt

( dbSalt is used as protection against brute force and dictionary attacks in case someone gains access to the table )

Now your server has all it needs to authenticate the user ( see there's no password anywhere )

Later, to access the service, you enter the login page or endpoint and request access for the "userName ";
the server looks for the userName and answers, creating a string, ( the nonce ) wich at least includes information about the call number ,
date-time and a random or secret string:


randomString = sys(2015) && for simplicity of this example

And returns it to the client along with the dbsalt for that user:

-randomString
-dbSalt

client then repeats:

initHash = sha256(password+userName)
dbHash = sha256( initHash + dbSalt )
sessionHash = sha256( dbHash + randomString )

and just sends sessionHash

Server just compares it with the server side calculated one for that challenge.

this is the basic explanation, but should help you get on track for https://tools.ietf.org/html/rfc7616