Erm, except it's not US sending cleartext passwords, it is the person logging in sending a password that could be sniffed with a keylogger or something. Our member passwords are encrypted/hashed/salted on our servers.
So it's the USERS fault that your login page doesn't pre-encrypted/hashed before being sent, or using SSL.
a keylogger is kind of invalid argument since at that point your computer is already fully compromised and it doesn't matter where it's encrypted unless you have a keyboard with a TPM chip that encrypts the password before the computer sees it, which is kind of unreasonable and besides the point
point is the password can be hashed client side before they're sent without "expensive" SSL certs.
As it is, even if they're not stored as clear text, someone could inject bad code to your site, and have all the cleartext passwords sent to you every day passed on .