Users should be warned before entering passwords on websites not loaded via HTTPS.
It should probably not require additional interaction, just inform the user in an appropriate form.
Since there is no HTTPS Only mode yet, it is fairly easy for an attacker in the same local network to perform downgrade attacks using tools like SSLStrip to make the user use plain HTTP connections for their browsing behavior.
This is amplified by only difference between an HTTP and HTTPS website being a small lock icon in the address bar, which is very easy to miss.
Firefox implements this by having a notice below the password field while the field is focused:
Chrome and Safari do not implement any warning.