If the site is not encrypted, an active attacker who is Man-In-The-Middling the connection (which is relatively simple to do on public wifi) can just strip the login cookies from your request, so that the user thinks that, for some reason, they have been logged out of the site. The user will then almost certainly log back in, allowing the attacker to capture the username and password. Because password reuse is so common, for many people this would also give the attacker access to their accounts on other websites, some of which may be more valuable to the attacker.
Even if the user doesn't log into the website while it is being monitored, their session cookies will still be transmitted in plaintext, which would allow the attacker to simply set those cookies in their own browser, and they would be logged into your website. Firesheep is a tool that allows you to do this easily. This doesn't give the attacker access to the user's password, but they still have full access to the account.
In terms of other issues that would arise from not using HTTPS, it depends on the website. The attacker is able to modify all traffic to and from the server, so an attacker could take advantage of the trust that the user has in your site to make them reveal more information or to download malware. The attacker could also inject exploits into the page to attack the user's browser or other software on their computer.
Secure connections also protect against ISPs intercepting and modifying traffic - Comcast injects ads into websites, and AT&T tracks users' browsing habits
Aside from security, using HTTPS also allows you to use additional browser features that are not available over HTTP:
- In all browsers, HTTP/2 is only available over an encrypted connection, and it can have considerable performance benefits compared to HTTP/1.1.
- In all browsers, Web Workers (background scripts that allow you to provide an experience closer to a native app (offline support, push notifications etc)) are only available if the page was loaded over HTTPS.
- In Chrome, the Geolocation API has now been removed for insecure sites, and other browsers are likely to follow.
- In all browsers, certain new features that are considered sensitive, such as certain hardware capabilities, will only be available on pages loaded over HTTPS.
Even if your site wouldn't benefit from any of those features (though not benefiting from the speed of HTTP/2 is a hard case to argue IMO), implementing HTTPS is free using a service such as Let's Encrypt, and isn't too hard to set up (there are lots of guides online), so there isn't much reason not to use it.