chillu
commented
3 years ago Actually, changed my mind after reviewing various security resources (ASVS, NIST who don't give recommendations either way. There's only guidance for allowing to paste into password fields (not using onPaste=false event handling).
On balance, autocomplete=off prevents many discussions from coming up through audit findings. And it's ignored by most modern browsers and password managers anyway, so changing it to autocomplete=on won't make much different to the average user experience (or their security profile).
A 2016 opinion piece made me reconsider this: https://www.pivotpointsecurity.com/blog/autocomplete-and-application-security-testing/. There's also a handy test where you can check the XSS potential of a specific password manager: https://markitzeroday.com/xss/autocomplete/2018/07/08/password-autocomplete-and-modern-browsers.html
This was disabled way back in CWP 1.x, with an unclear rationale. In 2021, we want to encourage users to use password managers, which often rely on the password field allowing autocomplete.
From MDN (https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/password#allowing_autocomplete):
"off": Don't allow the browser or password manager to automatically fill out the password field. Note that some software ignores this value, since it's typically harmful to users' ability to maintain safe password practices.