I discovered today that Tomato's Namecheap Dynamic DNS updater support use HTTP with passwords in the GET parameters.
This means your passwords are super easy to sniff on the wire. Don't use it.
Namecheap shouldn't be accepting this sort of request with out HTTPS and Tomato shouldn't be using it.
Here's how I found it:
Password has obviously already been regenerated.
Curl on any linux box will serve the purpose nicely (note the https://):
curl "https://dynamicdns.park-your-domain.com/update?host=$HOST&domain=$DOMAIN&password=$PASSWORD&ip=`curl -s http://my-ip.heroku.com/`"