When you use a bad proxy(Burp Suite or MitmProxy) for data spying you can see password and username in clear text!

Thank you for the report. However, we don't consider this a security issue. It is true that you can see the credentials if you are able to perform a man-in-the-middle attack. In fact, you can do that on most websites. The backend always has to get some password to compare it to its database. We prevent others from seeing the credentials by using HTTPS. Of course it's easy to bypass it manually on your own devices by trusting the certificate of the MITM proxy. In normal circumstances, neither an innocent nor a bad proxy can do that.
Ideally, the user has a strong new password for every website and, after a real attack, the hacker can only log into Cryptic. Because that is probably not true for everyone, we could salt and hash the password on both ends. That would make the attack less useful. We can think about doing that in the distant future, though it is not straightforward to implement and does not directly improve security.