Shouldn't the login info be transmitted under https?