I have a JavaScript package that will have a need to make 1 external API call by sending data to our servers with the users User name, password and security token.  My question is how should we go about transmitting the password(plain-text vs. base64) and what about storing it in a salesforce custom object?  what are the security implications / rules for this?  Does anybody know?

I have a JavaScript package that will have a need to make 1 external API call by sending data to our servers with the users User name, password and security token.  My question is how should we go about transmitting the password(plain-text vs. base64) and what about storing it in a salesforce custom object?  what are the security implications / rules for this?  Does anybody know?