Password is definitely sent in Base64 encoding. However, encoding is not same as encryption. There is a subtle difference which causes the Base64 encoded
string to be termed as "clear text".
An encrypted string cannot be decrypted unless you have something (usually, the key) that was used to encrypt it even if you know the algorithm. For example, if you encrypt a string using Blowfish, nobody can ( well, leave alone cracking for now) decrypt it unless one has the key even if one knows that the original string was encrypted using Blowfish.
Encoding, on the other hand, has no such protection. Anybody who knows the algorithm can decode it. For example, ASCII, EBCDIC, Unicode are all encoding mechanism. You don't have to do any decryption to find out that 65 is ASCII for A. Similary, Base64 is another encoding mechanism. Anybody can find out what a Base64 encoded string means in ASCII.
For this reason, it is said that the password is sent in "clear text". I remember there was a question on this particular aspect in the exam too.
HTH,
Paul.
[ August 07, 2002: Message edited by: Paul Anil ]