If you have special characters in your password like most good passwords should, and you type your password (with special chars) into a textbox in password mode and use ctrl+bkspc to clear the password, it will give you the location of the special chars in the password box.
I consider this a gigantic security flaw and is pretty terrible. I have only found this behavior in IE. Is this known? I seem to remember running into this for years.
EDIT:
for example, try this
go to gmail in IE
focus on the password box and type "password" (no quotes) and then hit ctrl+bkspc
then do the same for 'pass/word' (no quote)