Assuming you are using SQL Server 2005 or 2008 the login is encrypted.
However, unless you have configured a certificate, you may have to worry
about a man-in-the-middle attack.
From Books Online: http://msdn.microsoft.com/en-us/library/ms189067.aspx
Credentials (in the login packet) that are transmitted when a client
application connects to SQL Server are always encrypted. SQL Server will use
a certificate from a trusted certification authority if available. If a
trusted certificate is not installed, SQL Server will generate a self-signed
certificate when the instance is started, and use the self-signed
certificate to encrypt the credentials. This self-signed certificate helps
increase security but it does not provide protection against identity
spoofing by the server. If the self-signed certificate is used, and the
value of the ForceEncryption option is set to Yes, all data transmitted
across a network between SQL Server and the client application will be
encrypted using the self-signed certificate.
CAUTION:
SSL connections that are encrypted by using a self-signed certificate do not
provide strong security. They are susceptible to man-in-the-middle attacks.
You should not rely on SSL using self-signed certificates in a production
environment or on servers that are connected to the Internet.