[AStonesThrow]

Guys, it is very difficult to avoid logging clear text passwords if your systems are set up to compile auditable logs of anything, and you already know why.

Because people will constantly enter their passwords in the wrong places, that's why. Classic Unix systems administrators always found passwords logged as usernames. Or in shell history files. Or on typescript transcripts.

Facebook's forms are no different, and all it takes is a moment of inattention, type into the wrong field, an accidental copy-paste, or an overzealous password manager, and how many millions of users will eventually send in their passwords?

The truly marvelous technical feat would be to devise a way to stop this. Essentially, you couldn't. It's a complex issue. Not negligence.