There are plans to update the forum, including for better security (the main issue with changing the forum software is concern over reliably migrating all of the existing content, since 2003).
After emailing (admittedly not current best practice), the passwords are hashed and only the hash is stored.
Implementing HTTPS is done on the web server layer, not on the forum software layer. It's a no-brainer and takes an hour to implement, at max. It's ashaming for Larian that they still use unsecure http in 2020.
