I could make it such that any time you log in using a "secret URL" link, the site pops up a warning message suggesting that you should set a username and password.

That should prevent the attack from working on people who read popup messages.  But that may be quite a small percentage of people.