This really borks in terms of accessibility, as the huge change as a result of an onblur event will be awkward. Also, it will require JS to do so, so simple post is no longer an option. Of course the system I'm working on won't work without JS and a modern browser anyway.
What if password fields had a "bitbucket" mode where they swallowed all input and overwrote it with "xxxxxxxxxxx"? Then instead of "a huge change" from an onblur event, when the email is checked for login type, conventional username/password users just have their password field turn off bitbucket mode. No one reveals their password to the provider. Everyone is happy -- but only in this hypothetical future world where browsers have this new functionality.
How? In that case, some people come along and manage to enter their password, perhaps because they didn't enter their login or email first. The bitbucket entry field soaks the information up, and it's never revealed. Most of the time, when they enter the login, the password field can disappear in that case. Or is there something I'm missing?
