I was going to suggest fixing the username/password thing by using OAuth 2.0 and only supporting the use of external credentials supported by that (Google, Facebook, LinkedIn, Microsoft, ...) and NOT supporting any kind of local login. The problem with that is that you always have some folks who won't countenance having any of those accounts who would then be excluded. (I'm not sure I see that as an issue, myself, mind).
I'd still lean towards SSL, though, even if the password handling was outsourced to one of the online authentication services, but it would probably depend on having an annual funding drive... (perhaps we need one of those thermometers they use for church roof fundraising progress meters).