If I were to do something like:
io.connect('localhost', {query:"user=test&pass=1234"});
Could somebody find the user and pass information easily (like a regular GET form)? Is there anyway to improve this?
Or should I just get login credentials after a connection has been made?
Yes, of course. Just like any request made over an insecure channel, all data can be viewed by a third party. Use HTTPS/TLS.