I must say, after testing this plugin, I question whether it's really useful. I logged in the first time and it didn't let me in. The first login form had the CHAP code in it. The second login form didn't have any CHAP code at all; it just warned me that my login was being sent unencrypted.
What's the value to sending a hashed password the first time and a plain-text password the second time? It doesn't work around the security issue; it just adds an extra step to logging in.
Someone feel free to correct me if I'm misunderstanding something.