Inside of my friend's website, when a user logs in, they send their username / password to him over HTTPS. Besides having a SSL, there isn't a special obfuscation of the password (it's living in memory in the browser).
Is there anything else he should do to tighten security? Should he keep it hashed? What about in RAM?