In the time since this question was asked, a lot has changed. Does your site need HTTPS? YES!

1. Certificates with domain validation are free from many providers, e.g. Let’s Encrypt. These certificates are just as good as those for which you pay money. Thanks to server name identification, it is not necessary to own an IP address.

2. Browsers are increasingly marking non-HTTPS pages as insecure, rather than neutral. Having your site marked as insecure doesn’t look good.

3. Modern web technologies require encryption. Whether it’s Chrome’s policy of only enabling new features for HTTPS sites, Google’s preferred ranking for HTTPS sites, or encrypted HTTP/2 being faster than plaintext HTTP/1.1, you are leaving opportunities on the table. Yes, encryption does add load to your servers, but this is unnoticeable for most sites – and particularly unnoticeable to users.

4. Privacy is more important than ever. Whether it’s ISPs selling your clickstream or secret services sifting through all your connections, there’s no good reason to leave any communication publicly visible. Use HTTPS by default, and only use HTTP if you’re sure any transmitted information can safely be public, and may be tampered with.

   Note that passwords must not be transmitted over plaintext connections.

   Under some regulations such as the EU-GDPR, you are required to implement state of the art security measures, which would generally include HTTPS for websites.

There are a couple of non-solutions:

• “Use OAuth instead of passwords” misses the point that there still are password-like tokens involved. At the very least, your users will have a session cookie that must be protected, as it serves as a temporary password.

• Self-signed certificates are rejected by browsers. It is possible to add an exception, but most users will not be able to do that. Note that presenting a self-signed cert is indistinguishable to the user from a MITM attack using an invalid cert.

So: Certificates are free and HTTPS can make your site faster. There is no longer any valid excuse. Next steps: read this guide on migrating to HTTPS.

I’d buy one. The cost of the certificate is not that big considered the level of trust it provides to the users. Think of it as an investment. If your applications don’t seem to be secure (and properly signed SSL certificates give assumption that a website is secure) people may lose interest in using your future products.

If you are “only” gathering e-mails and passwords you maybe want to try creating your own certificate OpenSSL (http://www.openssl.org/) before committing any funds.

But…

This is just something you can do to “try things out” because website users will get a warring as this will not be a recognized/accepted certificate.

My advise is to invest in SSL, simply because email and passwords are a very sensitive private data that can lead to other kind of exposures (say I use the same pass for my email account – if this info leaks out, then all e-mail data is exposed, including CC data, any and all access info I have for other online services and god knows what else…)

We need a secure and trustworthy WEB and few dozen bucks is a small price to pay for user security. (even as basic as SSL)

Security Concerns

As far as I understand, the only vulnerability happens when a user
logs or signs up from an unencrypted network (such as a coffee shop)
and someone is listening the network.

This is not true, data transmitted between the user and your website is never safe. Just as an example, http://www.pcmag.com/article2/0,2817,2406837,00.asp details the story of a virus that changed people’s DNS settings. No matter how good your current network is protected, any submission on the internet goes through many different servers before it gets to yours. Any one of them can be malicious.

SSL certificates allow you to encrypt your data in a one way encryption that can only be decrypted at your server. So no matter where the data hops on it’s way to your server, no one else can read the data.

In most cases, and this depends on your hosting, installation of a certificate is rather painless. Most providers will install it for you.

SSL Cert Types

As noted in some answers, you can create your own SSL certificates. An SSL certificate is just a public and private key pairing. Your server gives out the public key, the client uses it to encrypt the data it’s sending, and only the private key on your server can decrypt it. OpenSSL is a good tool for creating your own.

Signed SSL Certificates

Purchasing a certificate from a certificate authority adds another level of security and trust. Again, it’s possible that someone can sit in between the client browser and you web server. They would simply need to give the client their own public key, decrypt the info with their private key, re-encrypt it with your public key and pass it on to you and neither the user nor you would know.

When a Signed Certificate is received by the user, their browser will connect to the authentication provider (Verisign, etc.) to validate that the public key they received is in fact the one for your website and that there has been no tampering.

So, yes you should have a Signed SSL certificate for you site. It makes you look more professional, gives your users more piece of mind in using your site, and most importantly protects you against data theft.

More info on the Man In The Middle attack that is the core of the issue here.
http://en.wikipedia.org/wiki/Man-in-the-middle_attack

Passworrds should be treated as personal information — frankly given password reuse, it is probably more sensitive than a SSN.

Given that and your description, I wonder why you are storing a password at all…

I would use OpenID and if you feel the need to have your own login, create a single subdomain for that, and use OpenID everwhere else.

If you won’t do OpenID, you can still use the same login.yourdomain pattern to keep from needing a wildcard certificate, but like I said, in todays world passwords are at least as sensitive as SSN/birthday, don’t collect it if you don’t have to.

RapidSSL through Trustico is only $30 or you can get a RapidSSL wildcard for less than $160 – they also have a price guarantee, so if you find it cheaper they’ll match it.

If you have a unique IP, you might as well get a certificate, particularly if you deal with any data that is even remotely sensitive. Since you can get free trusted certificates from StartSSL, there’s really no reason for not having one.

It would be wise to buy one. As mentioned, it is ALL about end user trust to your website.

so I'm hesitant to drop a couple of hundreds on a certificate – well it is not expensive and you may get one under $50.

SSL – is really important to secure your site and add a level of confidence to the visitors in your site. In regards to the login process, why NOT to use OAuth ?
This feature will skip the user hassle to spend time in registration for your website. Website user traffic will really benefit from that. Seriously!, find some time to research it.

A good reference on common SSL questions – All about SSL Certificates

An SSL has drawbacks. It slows down your website. Really.

The only reason why people are using SSL certificates is when there is the customers’ money involved.

If you are not involving your customers’ money, the decision to take an SSL certificate is purely business oriented.

If you’re having a backend for your customers, with no money involved on the website, but they need to be sure that they’re secure, then sure take a certificate. It’s an investment for your customers’ trust.

Dropping some money on a wildcard SSL certificate may be the best option, or it may not. Take a look at the Caddy web server: https://caddyserver.com/. It has many nice features, notably built in support for grabbing free certificates from Let’s Encrypt. You can just specify all your domains in its config file and it will grab certs for them. The other really cool feature is On-Demand TLS. If you enable it, whenever it receives a request for a new domain it doesn’t have a cert for, it grabs one during the initial TLS handshake. That means you can have literally thousands of domains and not have to configure each individual one in the Caddy config.

Note: As much as my enthusiasm may seem like it, I am not afflilated with Caddy in any way, shape, or form, other than being an avid user of their product.

It’s all about the users, they do not provide any kind of security, the certificates are just products to sell.

You may want to take a look at this

http://en.wikipedia.org/wiki/Comparison_of_SSL_certificates_for_web_servers