Every site uses TLS encryption these days. Just look at the URL for this site. It begins with https. So there's no way for the Wi-Fi hotspot to snoop on the traffic. And if they tried to spoof the website (man in the middle attack), then they wouldn't have a valid TLS cert, so it would fail. And if they tried to downgrade the traffic to plain http, the browser would flash a warning.
If you ever try to install a new root certificate on your device you will get a big warning about whether to trust this, so I don't see how the operator of a malicious WiFi hotspot could get a user to download a rogue root cert without big warnings flashing up either.
That's not to say that there aren't other dangers with using public WiFi. But I think the danger of your passwords being snooped is minimal nowadays due to almost universal adoption of TLS for websites and browser warnings when anything unusual with TLS is happening. The exception is if the WiFi provider itself asks you to sign up to it's service with an email address and password and you re-use your existing password that you also use for your email account or anything else.