I'm a computer scientist and can not trade on platforms which sends me HTML emails and have the plaintext password in the API calls. Such things causes me physical pain.
[]
It takes a simple man in the middle attack to read the cleartext credentials from the API calls.
How do you want to do a MitM attack with a plaintext password send over HTTPS?!? As a computer scientist you should know that it is impossible. The advantage of using HMAC over https is very minimal and depends on the details of the client and server implementation (mainly the password storage).
On the other hand, that they don't support API keys restricted to specific functions (trade/withdrawal/..) is indeed a severe limitation.