By default it has pathetic security, plaintext logins, very weak password hashes, no filtering of inputs, etc.
These extensions seem to be good, and they are all free. I haven't tried them in any depth, of course.
One strange thing is that the user can turn off the encryption before logging in--if they do that, the protection vanishes. Note the option in the upper left here: