Client WP site no SSL - are login username/password sent as plain text ?

For this site, the client is hosted on Bluehost and doesn't want to get an SSL / dedicated IP at this time.

I'm worried that her login page ~/wp-admin/ is not HTTPS and that when we login our passwords and usernames are being sent plain text.

Can you confirm what is happening here ? Are we at risk for hacking ?