I understand the threat, but I’m not sure that this should be standardised. If the attacker has access to the user’s browser, even if the browser removes the password when the
input is switched to
text, the attacker can still get the value by hitting the JS console and looking at the input’s
value. And you can’t remove that as it’s needed for logins that work through XHR.
So the attack is really just the case in which there is a Show Password checkbox and the attacker has a split second in which to click it but not the time to open the console. I’m not sure browsers could defend against that without causing issues for legitimate uses. The better solution is to get rid of login dialogs altogether
I guess that a Web app can detect this by noticing that the password field has been filled out but has never been focused. In that case, it could disable its Show Password checkbox until such a time as the
password field has been both focused and cleared. Technically it’s not hard; I’m not sure that there wouldn’t be cases in which it might confuse users though.