You are partially right though. Many webpages are known to steal information like that. Steam accounts for example:
[URL unfurl="true"]https://community.chrono.gg/t/my-steam-account-was-stolen/14720[/URL]
Just last month there was one example posted on MT actually:
[URL unfurl="true"]https://malwaretips.com/threads/ultra-sneaky-phishing-scam-swipes-facebook-credentials.90594/[/URL]
Always check the certificate in detail, when in doubt, though it is not 100% guarantee either.
Password managers also help, since they display login only when on a legitimate page.
