A: 

Yes, your credentials are passed in cleartext, anyone who can hear your network traffic can sniff them.

Adam Bellaire
+4  A: 

type="password" only hides the character on-screen. If you want to stop sniffing, you need to encrypt the connection (i.e. HTTPS).

skaffman
+7  A: 

Every data sent trought a http connection can be seen by someone in your route to the server (man in the middle attack).

type="password" only hides the character on-screen, and even other programs on your computer can read the data.

The only way to protect the data is to send it trought SSL (HTTPS instead of HTTP)

AlbertEin
A: 

Contents of a POST body are visible, i.e., "in the clear," if transported on a non-encrypted channel. If you wish to protect the HTTP body from being sniffed, you should do so over a secure channel, via HTTPS.

Danny Whitt
+1  A: 

You can either encrypt the HTTP connection via HTTPS, or there are MD5 and other hashing algorithms implemented in JavaScript that can be used client side to hash the password client side before sending it, hence stopping a sniffer being able to read your password.

Matthew Scharley
On second option - hashes:If sniffer gets hash of my password, then he does not need my password. He can just send POST with my password's hash. Or am I missing something here?
True, but there are ways around that too (hashing some random data prepended to the password and posting that too), but even this basic scheme prevents use of your password anywhere else, which is already a big boost given most users reuse the same pasword over and over.
Matthew Scharley