In this case, you have all the tools to satisfy your inner skeptic: the source is right there, if you don't trust yourself to read it, it's trivial enough to examine all communication the page does.
As the site says, the passwords are hashed on the client, and nothing but the hash is ever sent to the server.
You make a fair point, but this is Slashdot, we're not supposed to be "users" here.