Except, if there is XSS, its usually in user submitted data, like a post. You wouldn't type in your password on a user post or alert box. And the login page is usually on a different page altogether, by itself.
I disagree about "usually." I would say it is very common now for the login controls to be in the sidebar and visible wherever. Not to mention how many things you would care about compromising are single-page apps or at least very rich apps that might just use a popover.
This is kind of irrelevant since you can pretty easily override everything about the XSS payload to make it look like a legitimate login page for the site you're looking for.
Depending on the nature of the site, it's possible it won't even stand out as odd even if it loads a login control at a non-"login" URL.