Newer browsers notify users when a login form will be sent over an insecure connection. But some websites are replacing password boxes with plain text inputs to avoid triggering the warning – and using a special font, where all the characters are circles, to fool their users.
Troy Hunt makes an example of ShopCambridge.ca: https://twitter.com/troyhunt/status/925462678516019200?ref_src=twsrc%5Etfw&ref_url=https%3A%2F%2Fwww.troyhunt.com%2Fbypassing-browser-security-warnings-with-pseudo-password-fields%2F
And as you've probably guessed by now, that "font" is nothing other than a single disc per character designed to be a visual representation of the real disc you'd normally see when entering text into a proper password field. It needs to work in this order because otherwise the place holder would no longer say "Password" and you'd instead see 8 round discs representing the letters of the word. The bottom line is, once all this is tied together then there's the veneer of a password field but because it isn't a password field, there's no browser warnings! It's like magic! More specifically, it's a pseudo password field designed to fool the user and deny them of the browser's visual warning designed to protect their password.
The craft involved is such that it can't be explained by sheer laziness. It's a peculiar mix of paranoia, marginal competence and the Dunning-Kruger effect. A million smalltown websites brought to the brink of ruin by the local Magic Alex-esque "tech wiz" they placed total faith in to run it.
Hahahaha.