Why is it good practice to use it on login fields? That just means your users will use weaker (easier to remember) passwords on your site instead of using random, unique ones stored in a password manager.
I've noticed with Firefox (17 ESR) that, having once used Firebug to delete the 'autocomplete="no"' attribute on a password field and then submitted the form, it's not necessary to do so again; in whatever heuristic Firefox uses to determine how to behave in that case, the existence of auto-completion data for the field apparently overrides the advice given by the attribute. For those leery of adding still more extensions to a Firefox profile already well larded with them, this may be useful information.
An attacker that can make use of an auto-completing password field has got enough access to mean that the game is over anyway - they can get that password from a variety of other sources on the machine.
Turning off autocomplete on login fields doesn't make that form more secure, and it does annoy users.
As kalleboo says, it probably reduces security as your users change to easy to type passwords, or keep needing password resets.
Sorry, there's a bit of misunderstanding here; I should have made it clearer. Password type fields shouldn't autocomplete on browsers anyway. The "good practice" I meant is for devs to set autocomplete off for the username field - to prevent the login username or email address popping up (especially if the site is accessed on public or shared computers).
That's just infuriating. You're choosing to break functionality that I rely on to help me log in to your website, and there's absolutely no reason to do so.
> especially if the site is accessed on public or shared computers
People setting up those computers need to learn how to provide clean sessions for their users, rather than relying on every single website in the world doing weird things in forms.