Login Security
With active password sniffing expected at public WiiFi spots, secure login is the responsible thing. Provide a secure form for your users so only encrypted text transits from your user's computer to your server. (And don't store passwords in cookies.)
Once a password is compromised, not only does the cracker gain access to the user's account at your website, but also at all other accounts on the internet the user has with the same password.
It could be argued that users are responsible for using a different password at every website. But I think it more fitting as a site owner to acknowledge the reality that some people, perhaps many, use the same password in more than one place.
With the login form on a secure page, the user's browser can report that the page is secure. But that is not what provides the login security.
What provides the login security is the form submitting to an https://... secure URL, to software located on a secure server. It is the submission of the username and password that needs the encryption provided by the secure server SSL connection.
For additional security, an account lockout of 2 hours could be implemented whenever more than 5 incorrect login attempts occur during a period of 15 minutes. Or whatever numbers are best for your implementation. The lockout can prevent continuous brute force password guessing attempts.
For security, login forms need to submit to login software on a secure server.
Will Bontrager