[peeters]

Fine, so just omit the area for the image completely. Showing an error in place of the image is obviously a stupid choice over just asking for the password up front, and just omitting it (by pretending there shouldn't be one) will not trigger panic in non-savvy or forgetful users.

[ncallaway]

This makes me wonder how sophisticated phishing setups are. This seems like something that they would want to A/B test to determine which "converts" more "users".