A follow up to that (more for advice than anything related to squarelibraries), but my team is now saying that the form attributes should be encrypted (as in, if you inspected with charles, you shouldn't be able to read the password) I feel like that's kind of crazy because we use TLS, and so it is encrypted. Leads me to my question... do most apps/services just send up the username/password combo in "plaintext"? From what I'm seeing (and inspecting via charles) that seems to be a valid route that teams take.