@burnout426 Thanks for your answer.
Chrome does the same.
I checked the attributes with "inspect". The type for the second and third entry field is set to attribute="password". The problem might be that the third field (for the real password) is named id ="passwd1", while the second one (for the one-time RSA number) is named id="passwd".
So obviously the browser is led to think the field named "passwd" is the password.
Dang. Seems to be a tricky one.
Maybe it´s useless to find a general solution just by logic.
Perhaps... if there is more than one password-field, the browser could either ask the user, which one to save or just save all password-fields?
If you want to have a look at the page I´m talking about: it´s www/vapp/vkb/de
(slashes are dots, of course).
I think it´s a standard citrix login screen.