This is much easier than you think. I once used a package-sniffer, with a filter that allowed anything as long as it contained post data, on an unsecured network. Within a couple of hours I had a lot of logins and sensitive information. Of course I discarded the information I gathered.
"Any fool can write code that a computer can understand. Good programmers write code that humans can understand." --- Martin Fowler
Please correct my English.
It is a "good practice" to use HTTPS/TLS for any userid/password forms. And site that specializes in teaching how to program should lead a good example. So next time the site gets tweaked, it should be setup to use HTTPS for the login process.
Using TLS is necessary, but by no means sufficient, to make a site secure.