The impact is potentially quite severe, too. An attacker could hijack the update process and deliver malware that would compromise your PC.

To his credit, Reichl notes that he'd like to move to encryption as soon as he believes it's possible. You can also verify that you're getting a signed download, if you're worried. However, it's still contradictory to develop a security-centric app and decide that security should take a back seat. Even if it's true that ad income would take a steep hit, the consequences of knowingly exposing people to attack (including alienating those who once trusted the password tool) are likely far more severe.