Anything sent over HTTP is in plain text and therefore readable. This also applies to automatically generated passwords and password resets. The only way to prevent 3rd parties reading users' HTTP traffic is to encrypt it.
This isn't specific to Moodle, it applies to any web app that uses login credentials. If you're in the EU and receive government funding, then there's often a requirement to use HTTPS.