[xaitv]

But what if people have multi-word passwords? At that point the solutions become so over-engineered(either use some ngram-like setup to detect passwords being posted or save a hash for each separate word of the user's password, which also decreases security since then you know the user has a multi-word password) that you might as well drop that feature.

[gpm]

Just forbid spaces?

[AnthonyMouse]

That significantly reduces entropy in the password.

Also, the premise is faulty, because as soon as users figure out they can't type their password in the chat, they'll just describe it in words or split it into two pieces etc.

[Drakim]

Give them a big scary message "Never give out your password to strangers" when the censoring happens, because it's highly likely somebody is pretending to be an admin asking for a password in that situation.