Bear in mind, that if the user has been brought to a "poser" web site, no password manager
client-side bug is gonna matter if he/she is clicking "OK" anyway. The data has been
deliberately sent (ie. exposed). The client maintained list is not, in and of itself,
compromised. The hidden form field phishing is a bit less culpable for the client. Simplest
solution might be to add a "paranoia" setting to the PM that presents a DB exposing the fqdn
about to receive the sensitive submission asking "Are you sure this is a valid authentication
The onus is on the user to double check the validity of the transaction one last time.
IMHO, any truly sensitive authentication should be using encrypted transmission with mutual
trust verification anyway, or the user should seriously consider doing business elsewhere.