[grumpyfart]

Why the hell one opens a website to choose password and serve it over clear-text (HTTP)?

Isn't that ironic? Trying to make something secure by actually making it totally insecure?

(Before someone jumps, even it's JS it doesn't mean safe against MITM as someone can inject JS before it loads and send all keystrokes to another server)

[jexe]

Seems like the real threat here is training a user that it's ok to use third party web sites to tell them what password to use. That's a very bad habit.