I thought that most architectures forced applications to ask about a password, they didn't get passwords to the app side to do strcmps
At some point there is no stopping the fact that a password will be typed by a user and that if you have enough data on what is happening you can find out if the login was a success. If you can link the password to the success you have it.
However that is relatively easy to solve. My bank in fact is the one I use because their security is better than most. For my account I have a password and a passnumber. When I want access the computer asks for 2 letters (e.g. letter 3 and letter 6), and then 2 numbers (e.g. number 1 and number 4). It then uses this for a yes no answer. Thus if you are listening you get the info for the session I have started, but nothing more. Next time it will ask for different letters and different numbers. You could listen for a long time and work it out but that would require patience and depend on my frequency of access.