Wow, you just caught the bug in the system. I just noticed by reproducing it.
Don't know it was intentionally done or a mistake. But that's not good. Only Epi team can say anything about that. :)
Short answer: yes.
Long answer: you can try out with any website out there, and it'll be like that. Some websites try to "encrypt" the password, but it's only client-site encryption so it can be easily decrypted. The protection is on SSL - i.e. the connection is encrypted, not the data itself.
When using standard Episerver CMS login, the password and user name is posted as clear text.
Any thoughts on this? Is it supposed to be like that?