Just to be clear (and the FAQ on Atul Prakash's web page states this also), that any security system where the logon page is not SSL does not necessarily mean that the username/password is sent in clear text over the network, where anyone can snoop it.
Most of the time, if the logon page itself is not SSL, the postback that occurs when the user submits the username and password does use SSL. Thus, the username and password are protected.
Atul's point is that when the logon page is not SSL, it opens the site up to a phishing attack, because the logon page becomes easy to duplicate. With no SSL certificate to let the user know that they're on the legitimate site, the phishing site can be an exact replica.
It used to be very common to design sites this way, because if the the logon page uses SSL, then the entire page and associated graphics then all have to be delivered via SSL, which is computationally intensive and significantly reduces the number of simultaneous users that the web site can handle. Designing the site such that only the postback uses SSL reduces the computational load on the web server considerably.
Obviously, times have changed, both in terms of security and in available computational power, and there is no reason today that the entire site including the logon page cannot be delivered via SSL.