Hi Rowlers,
please consider these points:
- in case of a man in the middle attack ('man' in the middle likely being a program or a script), they could collect unencrypted passwords and logins and attempt to use them elsewhere - people are known for using weak passwords and the same passwords on several websites - some could use the same password on, say, Amazon or eBay.
- in case there's a bug in XenForo (there are bound to be some), an attacker obtains login and password combinations via a man in the middle attack, then logs in as one of the users and exploits the bug. The nature of the bug could vary - SQL injection vulnerability, a missing filtering/escaping of text before injecting it into a template etc.
- it's better to err on the side of caution - if they were to obtain an admin's credentials and use it to inject some malicious code into e. g. a template, which would then affect quite a few users before someone would take it down... unless the attacker changes all admin passwords and email addresses.
It's really to protect the fora themselves and users who don't follow/are unaware of sound security practices. That there are no financial/strictly confidential information being stored here doesn't mean it can't lead to something nasty eventually. Besides, there's BST and PM which may contain information that are better hidden from the outside world for one reason or another.
If it's a no for now, then it's a no, but extra security should do no harm.
On a somewhat related note, the Cuckoo's egg by Cliff Stoll is a pretty fun, light reading and can highlight some issues of weaker security in systems that are deemed non-critical that can lead to larger issues. It's a real life story and well worth reading, IMO.
Cheers,
Peter