better heuristic for determining where to fill in a token in GP forms

better heuristic for determining where to fill in a token in GP forms

GlobalProtect's prelogin doesn't give us much information to determine where
a token code might be filled in.

Current behavior:

1. Use the password file in the first form as a token field.
2. Ignores the fact that a second "challenge" form might be coming.

New heuristic:

1. If the label for the password field in the first form has a non-default
   value (not empty or “Password”), then treat that as the token field.
2. Otherwise, assume a second form ("challenge") is coming, and treat the
   password field in the first form as a normal password, then treat the
   password field in the second form as the token field.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>