For those talking about how people should have "better things to do with their time" et al. That is absolutely the worst attitude you can take with regard to web security. I work in the industry and we spend huge amounts of time and money building and testing websites to withstand all sorts of attack. As has been mentioned, it only needs one website to be "hacked" and all their user's credentials are on the internet. If they haven't used a secure hash (ie. Not MD5 or Sha1) or salted it (a way to make it much harder to "brute force" passwords) it is likely their password will appear against the hash (in a rainbow table) on the internet, alongside their email etc. This is where users not adopting good security practices actually create huge flaws in online services. If no-one repeated passwords across websites and everyone used strong passwords the attack vector would be greatly limited. But people don't, which is why we have to assume all users are stupid.
Things like SSL massively increase the security of a website - they also, to an extent help prevent phishing and human engineering. Therefore, saying that it isn't "necessary" or "useful" for "my small website" is absolute rubbish.
I'm a security researcher, penetration tester and software engineer.