How about this: if focus is in a password field, then you get a visual signal somewhere in the chrome--e.g., the color of the location bar changes. Something that HTML+JS just can't do.
We can't train users to look for a lock icon to see if they're SSL encrypted, so I'm not optimistic that something as subtle as a URL bar change is going to guide them to secure password inputs.
Consider this, then: a secure password box is put at the very very bottom of the page in an obscure location. JS is used to make a fake one that is prominent. How will you deal with that?
