Wow, thats bad on so many levels.
1. Password remains visible in plain text in the browser history
This is a Tuffmail problem. You'll notice the file is "rclogin-2.php" that isn't a Roundcube file its something that Tuffmail has built. Badly.
2. Roundcube (0.7)
It seems that Tuffmail offers two version of Roundcube, both of which are extremely out of date with known security vulnerabilities
0.7.2 - released March 11, 2012 (nearly 5 years out of date)
0.5.3 - released June 02, 2011 (over 5 and 1/2 years out of date), and not even the last release in the 0.5.x branch
Needless to say I'd recommend switching providers ASAP!