RSA conference site sends an ajax request per keystroke when entering password (opens in new tab)

Probably the strong/weak indicator. Maybe it should be done client side in javascript. It might be possible to narrow the range of likely passwords by analysing the timings of the requests.