ANY site that accepts passwords SHOULD use HTTPS. Period. Otherwise any user logging in immediately gives his/her credentials to everybody between the two ends of the connection, and many of those middlemen serve that data up on a platter to everybody who asks, and everybody who's hacked into their networks.
This also means that from the moment one logs in without HTTPS, a number of people and/or software entities can then log into one's account at will and do anything with it.
Configuring the web server's TLS (since the older SSL is basically cracked now) is interesting too, since ideally you want to provide only modern, more secure encryptions and forward secrecy (which means cracking keys doesn't crack all the past sessions' content along with them).
I think the problem is that most folks assume a site like this would at least have HTTPS, and then spill their guts all over the site in utterly readable-on-the-wire cleartest based on that faith.
HTTPS isn't uncrackable - the odds are any organization with enough cash to throw at the problem will eventually be able to crack it (hence the desire for forward secrecy), But it does change things from anybody being able to read *everything* without ANY effort, to requiring (usually) an expensive operation to capture any text at all. Assuming the web servers TLS (used by HTTPS) is correctly set up, etc.
Refs:
http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
https://www.ssllabs.com/ssltest/
I'm not offering to do it (sorry), but I do want to emphasize the someone really, really needs to.
