[DanBC]

An attacker that can make use of an auto-completing password field has got enough access to mean that the game is over anyway - they can get that password from a variety of other sources on the machine.

Turning off autocomplete on login fields doesn't make that form more secure, and it does annoy users.

As kalleboo says, it probably reduces security as your users change to easy to type passwords, or keep needing password resets.

[freewheeling]

Sorry, there's a bit of misunderstanding here; I should have made it clearer. Password type fields shouldn't autocomplete on browsers anyway. The "good practice" I meant is for devs to set autocomplete off for the username field - to prevent the login username or email address popping up (especially if the site is accessed on public or shared computers).

[DanBC]

That's just infuriating. You're choosing to break functionality that I rely on to help me log in to your website, and there's absolutely no reason to do so.

> especially if the site is accessed on public or shared computers

People setting up those computers need to learn how to provide clean sessions for their users, rather than relying on every single website in the world doing weird things in forms.