It's currently possible to go to http://hostname.com which loads the login page. When users use this to log in, the username and password is transmitted in plaintext.
There should be an option in settings to force SSL for login which will redirect users to https://hostname.com.
It could be done at the web server level, however, this will prevent http websites to access http://hostname.com/piwik.js.
Proposed enhancement is a web redirect if the login page is accessed over http and secure HTTPS is enabled in the admin options.