Yeah that's the problem though: A lot of websites don't set the password field to "type=password" or they don't set the second (verify) password field like that. Why do they do this? Either the web developer didn't really know what they were doing or they were given some very unique requirements (e.g. need to work with a legacy framework).