There are lots of good ideas in this post. Related work:

Browsers need to make password entry boxes more special. They must, in fact, present a UI that no other tool or common plugin can emulate.

My design for Passpet does this. The user only enters a secret into the toolbar, after clicking a custom icon that is hard to emulate because the icon differs from user to user. Password fields are always filled by clicking a button.

One simple step might be to encourage the user to start all important passwords with some special characters of their choice, like “%&” or similar. If they ever type these characters and they’re going into a javascript reader or applet or flash program, we should be on immediate alert.

Stanford's PwdHash uses this trick. They ask users to start all passwords with "@@". Upon detecting "@@" the browser enters a special mode where keypress events are diverted away from normal event processing. Any JavaScript in the page will think the user is typing in "abcdefg" after that. When you submit the login form, the browser then replaces "abcdefg" with the password for transmission.

Another clue might be a different cursor for use when I’m typing characters to a text box in the browser (especially password box) from when my keystrokes are going anywhere else (like javascript.)

Web Wallet had a feature similar to this. Any characters you type into the webpage are animated, flying out of the page in a huge font, which is supposed to make you uncomfortable if you are typing in your password. However, the participants in their user study didn't seem to notice or care.