[chacha102]

I really find it annoying that I have to retype my password whenever there is an error with a completely non-related part of the form.

I know that it would be irresponsible for them to send me back my password in plain text, so I guess I can live with it. But it is still annoying.

[bradleyland]

There are straight forward workarounds for this problem. The password field is typically obscured anyway, so the user doesn't see the characters in the field. When a user submits a form where they are asked for a password and a confirmation, you can temporarily persist that data on the server side, linking it to the user's session. You then send a dummy string to the client that matches the length of their supplied password, so that A) the user doesn't have to re-fill your password & confirmation, and B) the raw password data is not sent back to the client.

Good implementations of this approach also don't persist the password in plain-text in the temporary store. You crypt the password using whatever method you were going to when you stored it in the database and keep that around until you're ready to make the changes permanent.

[jerf]

If filling the password in will result in plain text passwords being sent back, you have already lost, because you just submitted a plain text password over HTTP. Similarly, if you're on SSL, it's plain text in neither direction. In either case, sending it back in the form has not changed the security situation.