I have tried to explain the reason why HTTPS on the entire site would be best below:
Let's say you set up two pages on your site to be available through HTTPS:
/login.php
/loginhandler.php
login.php contains the login form, where the user inputs their username / password, and this form will submit to loginhandler.php.
This way, no one on your clients' network can modify this form when the user requests login.php, as it is served through HTTPS.
Your loginhandler.php is also served through HTTPS, so no one on any clients' network will be able to see the username / password they sent to the server when logging in.
HOWEVER:
If the rest of the "logged-in" content of the site is not in HTTPS, an attacker will be able to inject anything he wants (and see all the content the logged-in user requests).
For instance, he may inject a "You have been logged out, please provide your login details: (form)" message onto any page, where the form would submit to his own server instead of yours. Then the users' password will be compromised.
An attacker will also be able to inject malicious to the index of the site before the user has even gotten to /login.php, redirecting them to different sites, or even changing the address of the login button on your site.
Edit / A note om MitM attacks:
Man-in-the-middle attacks only work if the attacker has control of the network.
This can include (but is not limited to): your ISP, your employer at work, your neighbor if you connect to his network, etc.
Lastly, if an attacker wants to INJECT (change) content on a website, he will need to be targeting a specific website (this can of course be automated, usually for bigger volume sites). Listening for data is much easier than modifying it.
