The passwords are not being sent between server and client in plain text, and if someone's machine is compromised, it would seem that you're hosed regardless.
There seems to be an assumption made here that if someone can read a file on your computer, that your "machine is compromised" and you're totally screwed and it's not MF's problem. I don't understand where this assumption comes from, especially because it's not true. People put dots over passwords as they're being typed in because someone can be looking over your shoulder as you type, why can't you obfuscate passwords that are stored on the file system? Even if someone's "machine is compromised" why would you make it easier to find passwords when you could just XOR it with something, or hash it? Really, you should always, always, always, 100% of the time, without ANY exceptions, hash passwords before you store them. There is no reason whatsoever to not do this.
And that's the really concerning part for me. You expect me to download and run an executable on my computer. If we have to tell your developers to hash passwords before they're stored, then how much do they know about security? Or development in general? Systems have to be designed with security in mind or else they're going to be vulnerable -- how can I know that the same guy who stores passwords in plain text in the Program Files folder can write an application that won't give the bad guys Local Privilege Escalation on my computer? Let alone implement a communications protocol that can play Dominion without the integrity of the game being compromised.
Let me be clear, I'm not touching this application again until I can be reasonably sure that it's secure (and there are very few people that want your app to succeed more than me, seriously). Storing passwords in plain text is not secure. You can wave your hands at it as much as you want and say it's not a big deal, but now you just look silly waving your hands and saying wrong things. It's not hard to change this, why isn't it being changed? Ugh.