That seems like an incredibly weak argument: if an attacker has physical access to the machine, all bets are off. How do you know that there wasn't anything installed to MITM everything already?

So, login form can just clear clipboard instead in onsubmit() handler.

That's an interesting idea actually. My first response was that you can't freely interact with the clipboard but you can set it provided you do it in response to a js event so in theory that is possible. The only problem is that you'd need to be sure the clipboard did actually contain the password because of course you can't read it. I guess you can log whether onpaste fired and then if the login button is clicked with a second or two, clear the clipboard.

And by 'clear', I mean add a textbox, set its value to an explanatory message '{app} cleared the clipboard because it contained your password' and then execCommand on it.

You can't alter the clipboard from JS (you can on browsers that support the execCommand API but still).

Hopefully there is nothing important in the clipbkard, like some data that the user will attempt to submit a second time after logging in. It sounded like a good idea at first, but now I want my +1 back :p

Of course. The implementation should check if the clipboard content is equal to the entered password.

I've written short Powershell functions that watch your clipboard and send it over UDP to a remote Powershell session. Does your favorite Powershell module have something similar? It could simply load with Powershell and start logging your clipboard.

Lastpass is quite clever in that whenever you copy a password into clipboard, it clears the clipboard after a little time.