Comment 5 for bug 733307

Not as far as we're aware; the main login method used by the Pandora web client sends the password symmetrically encrypted.

We'll look into possibly logging in via SSL and transferring from an HTTP cookie to a LSO, but the protocol's use of blowfish means that the authentication token (be it password or cookie) can be sniffed regardless.