Summary: sites are using a custom font which is just little circles for each character, so when you type your password, it looks like you’re typing into a password field. This bypasses browser warnings.
Hadn’t thought of this before. Sort of clever, but bloody idiotic at the same time.
Even better, the “password” will be stored by regular autocomplete!
Of course, it’d be much more of a pain to think of an implement this hack instead of, you know, applying TLS. I don’t think you’d be judged for using even Let’s Encrypt if your budget simply doesn’t allow for certificates.
Is there something about LE that makes it “less than” which a business would be judged?