Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.

So you have a login form/inputs on an http page

Solution:
Have your login form on a secure page https

Many websites do it, but remember normal people don't have Firebug running so they never see that message

No, the security risk is when they are sent to a page using HTTP instead of HTTPS

Gonna disagree, the tunnel could have already been intercepted and posting to https is not gonna make a difference at that point.

Because the target could have already been replaced, the connection may be secure but the connection to where?
If it's loaded on an SSL connection to start with then it cannot be altered.

That's one I never thought of.  But I guess if there is enough money involved, someone will try that.

Doesn't need that much money involved, pop into the local cafe with wi-fi, you could probably pick up login details and other stuff and Joe Bloggs would never know.

30 minutes later you could be ordering all kinds of things - worst case scenario I know but...has happened.

I don't WiFi anywhere.  I have a wireless router though I don't use it for any of my own business.  Last time I checked, there were 52 wireless networks here.