What not to do for a login form

I just started working with a new client. One of my first tasks was to modify a popular piece of hosted blogging software. One thing that I noticed was the login form. Their mistake is a rather common one. I could not initially view the login form via SSL. Yes, when the form sent the data over to the server it is in a encrypted pipe which is good and if you did not login successfully it directed you to a secure form. However, the initial post was not from a SSL form. Now you might thinking I am over-reacting but there is another reason SSL is good, it verifies a sites identity. This will help a site against phishing attacks. Granted it won't prevent phishing attacks since most users don't look at the SSL bar but hey every bit helps :).

Back to working....