This is true, but I've also run into legitimate password fields on different domains. Multiple times. The absolute worst offender is mobile app vs browser.

Why does the mobile app use a completely different domain? Who designed this thing?