My 5 cents in discussion:
1) The controller exists only while viewing your input. After you send the registration information, you usually change the view, thereby destroying the controller.
2) Even if it will exist throughout the session, to obtain data will require a rather complicated scheme with xss.
3) In addition, you have several elements to further reduce the risk:
(if you use https, the browser should not allow you to call ajax on the http resource, and https requests will fail if the certificate is not sigend and an exception has not been added for the site)
4) Finally, you can use oAuth for authentication if the server supports it.
5) Ofc. it all depends on the level of security that your application requires. If you are really worried that someone is taking the password while the person is away from the car, you should consider a different authentication approach, such as: client certificates (on smart cards) or additional one-time codes or something itβs still similar.