I've been meaning to sort this out for ages, but completely forgot. Thankfully b-root reminded me by logging Ticket #14. phpSmug (as of rev 1.0.5 and 1.1.3) now uses SSL/HTTPS for all login.with* methods to ensure login information is not sent across the wire in the clear.