security when calling a webservice or aspx page with password

I'm wondering if I have a web service like this:

Login(username, password)

or a page like

login.aspx?u=username&p=pass

If they were called from a desktop app, which would be more secure. From what i've read a sniffer can read the request and figure out the url. I AM hashing the passwords before putting them in the request, but if someone sees the request url with the params/query string then they can make the request with the same values!?

How easy/hard is it for a sniffer to figure out the hashed password? Should I encrypt the password and username before putting it into the url and web service? Any other options I have?

I'm asking because the data is NOT all that sensitive but basic security should exist at a minimal performance cost

NOTE: SSL is NOT an option

Use SSL to create a unique session token via a login service. Use that session token over standard HTTP for the rest.

Your login session will need to take the username/password as a POST otherwise the values will be visible in the URL request to the server and possible snooping on the network.

Just use HTTPS to encrypt the channel. That way you don't have to worry about sniffers.

If you're working with a bank, you may be obliged to use SSL. Check your local legislation - I think this will also determine what is sensitive data.