What are the attack vectors for passwords sent over http?
The data is vulnerable anywhere along the route, not just the first or last stage. It is quite conceivable that a system involved in the transfer searches out user names, passwords and other sensitive data. It follows therefore that sensitive data should only travel over a link that is secured all the way and of course that is exactly what SSL is for. Depending on what data is involved there may well be local laws that dictate SSL.
Something to make note of that others haven't mentioned here is that some browsers cache your form data. The default behavior on SSL sites typically is to not cache anything unless you chose "save my password". Typically password fields don't cache anyway, but I've seen some oddities (typically credit-card info, which I know isn't really the topic of the question).
The other thing to note is that SSL Encryption starts at TCP handshake. Once under SSL you cannot distinguish HTTP over SSL from FTP over SSL (aside from assumptions made via port number).
You also cannot distinguish a login request from a "Im just browsing" request, this obfuscates the page-flow from would-be hackers and also makes sure not only your password-data is safe, but your browsing history / cookie data / and any personal information that goes along with your account.
All-in-all if you eliminate man-in-the-middle attacks from the spectrum you cut down on a lot of the potential attacks, that is not to say that your site is 'safe' though. Also zoning policy should help protect you from XSS attacks since you'll be making a zone-change if your user is re-directed out of your site.
There are proxy servers which might store data.
But there is also an obligation to keep users passwords safe. Many users use a limited set of passwords, so an unsafe site might compromise their homebank password for example.