This is a very good article from Webmonkey explaining why the vast majority of the web is stuck using the HTTP protocol, which sends all information (including usernames & passwords) as plaintext, as opposed to HTTPS, which encrypts it. Whilst HTTP is fine for a lot of static websites, it is very insecure for websites that have access to personal information, or that are accessed using some kind of password.
The problem of HTTP based login sessions doesn’t stop with passwords being sent in the clear though. Whilst users usually only enter their password once per session, their associated session cookie is sent with every request, and so stealing this cookie is a lot easier than stealing the password. The stolen cookie can then be used to hijack the current session of that user.
The main reasons why most websites don’t move to HTTPS has nothing to do with complexity in setup, but rather the high cost of digital certificates, slower speeds of transfer (due to the initial key exchange), and the inability for browsers to cache web pages. So for now, it doesn’t seem likely that your favourite forum or blog (even this one!) will switch to HTTPS.
So what can you do? Well, if you do use websites that require passwords to access, or that store session cookies on your computer, make sure you are using a network that is trusted. In other words, use a network that you know (such as one at your home or work), and in the case of wireless networks, make sure it is secured by at least WPA. Public WiFi access points that are usually found in coffee shops should be avoided, mainly because they are susceptible to Evil Twin attacks.
For users of Firefox who are more concerned about security and less about speed or caching, I highly recommend HTTPS Everywhere, an addon that forces HTTPS on popular websites that are usually served over HTTP.