By now it’s common practice for web sites to serve login pages over HTTPS in order to send passwords over an encrypted channel. Yet if the site unleashes the authenticated user back onto HTTP links (no "S"), then protecting the password may be a moot point.
From a web application’s point of view, your initial identity is proved by submitting valid credentials, but your identity in subsequent requests is tied to one or more "session tokens" — basically temporary cookies that are supposed to be unique to your browser. The following video demonstrates what happens when your browser’s unencrypted traffic is intercepted by a sniffer (like using a Wi-Fi connection in a cafe, library, airport, or even at home).
You can find a longer explanation of this problem (without getting tripped up in technical details) in one of my articles on Mashable.