People on an open WiFi can have their username and password stolen by an eavesdropper. This is what the general use of SSL is about, IMHO (but then I don't know enough about html and WiFi to be dangerous)
I think you have the gist of it, but there are some subtle details.
SSL isn't about WiFi. It is about creating a secure, encrypted link between a web server and a browser. Let's say you are in a public coffee house using an open WiFi internet connection. Your communication between your web browser (on your device) and Bonsai Nut is encrypted - even if the connection is not secure. So if someone were eavesdropping on the WiFi network, they could see your traffic... but it would be encrypted. Note that includes username and password credentials.
Now if you were in a public coffee house using an open WiFi internet connection and accessing a non-encrypted web site, someone eavesdropping on the WiFi network could see your traffic, and understand it. In that case, it wouldn't just be username and password, it would be all communication over the WiFi channel. If you were doing ecommerce or visiting a bank (and those sites were not using encryption, which is highly unlikely) they could steal all of that information.
Note that all of this is theoretical. Although it is possible, it is not usually practical. In fact, for all of the fear-mongering, I am not sure I have read about a SINGLE account of someone having their personal information hacked from an open public WiFi channel. I have used unswitched hubs with packet sniffers to decypher Internet traffic coming into my house. Don't ask me why, but though it was legal, some companies would not be happy to hear about it. It is difficult, and not particularly efficient. Why would you worry about hacking local WiFi networks in the hopes that one individual might expose some small security detail, when you can hack the Social Security Administration, and get 100 million records of eveyone's personal information?
Trust me when I say that no one is looking at Bonsai Nut as a security target... because we don't have anything of value for them.