Password gets added to GET params

I am refactoring tons of CSS here and I came across the http://localhost:3000/admin/appearance/preview preview page. That is not hooked up to a login. When you click sign in since it is not hooked up, the username and password get sent as a GET param and the URL changes to this: http://localhost:3000/admin/appearance/preview?login=root&password=5iveL%21fe. Which is not great. Not sure what type of security issues you could have but it sure doesn't look great to have the password in plaintext in the url.

The file is here /app/views/admin/appearances/preview.html.haml

cc @kathyw @briann @stanhu