Yes, form-based auth is in clear text, because to the browser it's just a regular form submission - it has no idea that it's user credentials. Of course, a base64-encoded password is only marginally harder to recover than a plain text one.
Those are the largest trousers in the world! Especially when next to this ad:
Thread Boost - a very different sort of advertising