"which one may share across many sites"

This should never be the case, people should not reuse passwords, which isn't to say this doesn't happen, but in the modern world with the tools available there's no sane reason for this.

In the interests of security there's no reason not to run the site (or any site) over https. Awareness of security is a big issue, always has been, and the general public are being made more aware, either by changes in applications (browsers warning them) or data breaches, well publicised hardware and software vulnerabilities, network shenanigans...

Tools and services exist to make this easier for users and administrators, (e.g. lets enrcypt/https everywhere). Even this doesn't seem to be enough. As long as go as yesterday, for a couple of hours, people ignored the big https error message, logged into what looked like their myetherwallet wallet anyway, resulting in a heist:

"Victims had to click through a HTTPS error message, as the fake MyEtherWallet.com was using an untrusted TLS/SSL certificate. The bandits have amassed $17m in Ethereum in their own wallet over time."

Another BGP hijack. You say you don't trust the networks you use, I know people who run their own VPN servers, exclusively for their own use, and route all their traffic over this, regardless of device or where they are, and even this doesn't protect from everything, as this example shows.

When do you stop? Hardware? At the moment, realistically a 'blobless' ARM based system is likely your best bet, but it's not a realistic option for most people at the right now.

Anyway, hammers are still pretty cheap.