How about just globally disabling focus stealing by all applications? That would prevent a lot of this outright. For some reason this basic security hole has been around since day one with no desire to correct it.

Does this mean Windows keeps your password around in clear text (or reversible encoding)? Why bother having the user type it, if the OS can read it right out.

I wonder whether this will alert on every new third-party password manager.