Unless you have a server certficate and a HTTPS website, forms authentication means sending plain text passwords over the internet.
A way to avoid this is to use a challenge response protocol, where the server first sends a key to the client, and the client then uses the key to encrypt the password into a hash code before it is sent to the server. The server then computes the same hash code and verifies the client's hash code against it. Neat, isn't it?
Of couse a hacker could still employ session hijacking and replay posts, so obviously it's not as secure as SSL. On the other hand you don't need a certificate to use this and still avoid plain text passwords over the wire.
Note the control allows persisting the login to enable autologin. The current imlementation of this lowers security a great deal, as it is not session-based.