If the passwords can be stolen on open Wifi depends if the password is transmitted in the first place and then if the data are transmitted in clear.
Are the data transmitted in clear?
If you use https instead of http for all data (like in case of gmail) then the data are not transmitted in clear. This means that it is unlikely that an attacker can get access to the plain traffic, although an insecure system open to MITM attacks (like having the SuperFish certificate installed) or a user blindly ignoring certificate warnings can still lead to a successful man in the middle attack and thus to interception of unencrypted traffic.
Note also that all significant traffic must be protected with https. This not only includes the main page but also any embedded scripts or CSS. Fortunately modern browsers simply block insecure mixed content by default, i.e. don't load Javascript via http if it is included on a https page.
Is the password send at all?
Most applications today have a separate login dialog which asks for the password once per session and then only transfers the status of the specific user (i.e. logged in or not and other information) using a session ID. In this case the password can not be easily sniffed since it is not transmitted in the first place. But, the session ID is in many cases as precious as the password itself and allows an attacker to impersonate the user even if the password itself is unknown to the attacker.
And, if the attacker can sniff the traffic (i.e. no https but only http) he can often also modify the traffic. This means the attacker could modify it in such a way that the current session gets invalidated and the web applications asks again for the password. If automatic filling of passwords is enabled this might even be done without the user noticing it (depends on browser).
And then there are a few sites which don't use their own login page but instead use Basic Authentication build into browsers. In this case the username and password is transmitted inside the HTTP request header for each request and can be easily extracted if the connection is not protected.
Am I save if I don't visit the site when using an open Wifi?
No you are not. If the attacker can modify some traffic he can trick your browser into visiting any site he wants and thus get access to any passwords or session ID's transmitted in clear. And if done cleverly you might not even notice it. See for example PoisonTap for how to quickly extract information from a browser. While this specific attack makes use of Ethernet over USB it can be done the same way inside an attacker controlled Wifi (which any open Wifi might be).
Also, more complex attacks are possible like polluting the browsers cache which might result in the attacker controlling some of your browsing even if you are no longer logged into the open Wifi.
What can I do to protect myself?
Don't use open Wifi at all.
Alternatively use a VPN but make sure that the VPN is actually active from start. This might not be possible in all cases since many open Wifi require to first acknowledge their terms of service. Mobile systems like Android often detect such captive portals and handle this for you by opening the captive page in a separate browser, but on Desktops you are usually on your own. Also, some open Wifi simply block VPN traffic.