Wifi without password has higher risk than usually known from non IT persons and underestimated as problem as well.
You need consider that website to IP translation is done, obviously, from DNS server and DNS Spoofing technique (with ARP poisoning) that change website name to IP association.
In this way, with Pishing technique, a website cloning is proposed to user that write on browser, for example, www.facebook.com.
So hacker can get user and password insertion and stole, in this way, user credentials.
If you like you can read this italian article that explain more verbosely concept.
http://www.matematicamente.it/informatica/11535-dns-spoofing-e-phishing-rischi-per-wifi-non-protetta
[update 2019.06.01]
Today I would like to indicate risks about WIFI SSID properly created to collect information, passwords and so on.
https://pixelprivacy.com/resources/public-wifi-dangers/
