After reading the summary, I went ahead and downloaded the extension to see if I could figure out a way to bypass it. I tried a few more obvious methods first, all of which were detected by the extension.
My 4th attempt at bypassing the extension seems to work just fine though. It works by binding the window.onkeyup and window.onkeydown methods, determining which character corresponds to the key being pressed, then appending that character to the username or password fields if one of them has focus. Once the value has been added to the appropriate field, the event is cancelled using e.preventDefault(). I put a proof-of-concept up on my site in case anyone is interested. Here's the raw code for that page if you don't want to go to some random SlashDot poster's website.
This method only took a few minutes for me to come up with, so I'm probably not the first one to figure this out, but I thought I'd share anyways.