I played with this before - setting up a web site so that it is impossible for a user to send their password in plain text. I was able to accomplish it with just the parameters (in kernel and site map, I think) but 1) I didn't fully test by sniffing the HTTP streams, so I'm not sure the password doesn't go through and 2) It broke a lot of graphics and stylesheets. This would be a nice thing to have written up as a feature request, because it ought to be a single check-box in the parameters.