Richard,
What you’re doing is essentially duplicating (to a lesser degree) the conversation that takes place during SSL negotiation. Running the login / register page over SSL allows you to bring the focus of your approach back to the server (since you’ve secured your login packets), where you can execute code in an environment you can trust.
FWIW, I’ve always used a per-user hash combined with machine-specific reversible encryption, such as DPAPI.