Because of this narrow risk, we encourage our clients to still get ssl certs as they grow. However, when they are small MVPish non-sensitive apps with 50 users, the risk of this kind of attack is very small. (For example, Facebook Connect, which has the same vulnerability I described, would be a much more obvious target with a very high payload.)
The way we see it is getting people who are about to either store plaintext passwords or not salt their hashes correctly or pass them over non-https (like HN by default, boo!) or mess up a dozen other things, we're much more secure.
1. It's a shitty UX
2. There are more people without an OAuth provider than there are with them
3. It's a sure fire way of killing your conversions
4. It means people start getting tethered to providers
5. It's very complicated when it goes wrong
6. THIS DOESN'T SOLVE THE OP'S QUESTION AT ALL. OP POINTS IT OUT. YOU IGNORE OP.
Enabling SSL stops people sniffing sensitive data on public wifis. That's why everyone says enable SSL by default.
Also there's something wrong if you're a programmer and can't afford an SSL cert as it's the same price as a couple of beers.
I also find your password advice extremely questionable, it just doesn't make sense to me.