[PonyGumbo]

Or losing half the fields due to a validation error, which then creates other validation errors when you re-submit. "Oops! Your password contains illegal characters. Please select a new password. (submit) Oops! Please select a state from the dropdown menu."

[parfe]

I recently purchased new insurance. One company's site created its own scrolling widget for drop downs. Not sure why, but each page had several of these devil widgets.

If you spun the mouse wheel every single custom scroll widget would rapidly change value! Things like jumping from "Single" to "Divorced." I ended up just dropping them from my comparison because I was so unsure of the data I had provided them.

[chacha102]

I really find it annoying that I have to retype my password whenever there is an error with a completely non-related part of the form.

I know that it would be irresponsible for them to send me back my password in plain text, so I guess I can live with it. But it is still annoying.

[bradleyland]

There are straight forward workarounds for this problem. The password field is typically obscured anyway, so the user doesn't see the characters in the field. When a user submits a form where they are asked for a password and a confirmation, you can temporarily persist that data on the server side, linking it to the user's session. You then send a dummy string to the client that matches the length of their supplied password, so that A) the user doesn't have to re-fill your password & confirmation, and B) the raw password data is not sent back to the client.

Good implementations of this approach also don't persist the password in plain-text in the temporary store. You crypt the password using whatever method you were going to when you stored it in the database and keep that around until you're ready to make the changes permanent.

[jerf]

If filling the password in will result in plain text passwords being sent back, you have already lost, because you just submitted a plain text password over HTTP. Similarly, if you're on SSL, it's plain text in neither direction. In either case, sending it back in the form has not changed the security situation.