Actually, that brings up a potential problem for me because sometimes I do click the eyeball icon to show my password to myself.

This attack might be too slow as long as I hide the password within 30 seconds, but future versions of the attack might be fast enough to capture multiple characters, especially if the malicious website hosting the iframe knows which pixel positions will be occupied by the password box.