RSA conference site sends an ajax request per keystroke when entering password

Probably the strong/weak indicator. Maybe it should be done client side in javascript. It might be possible to narrow the range of likely passwords by analysing the timings of the requests.