You don't need xss on login page. You can have xss on any page and open an iframe/window with login and then steal via same origin