Yes, form-based auth is in clear text, because to the browser it's just a regular form submission - it has no idea that it's user credentials. Of course, a base64-encoded password is only marginally harder to recover than a plain text one.
She'll be back. I'm just gonna wait here. With this tiny ad:
Free, earth friendly heat - from the CodeRanch trailboss