evansims
commented
10 years ago We never repopulate password fields, actually; the login process is done via a background ajax request so the page never reloads. You're right though we should be clearing that field after failed attempts. I'll ensure this gets in with the design update.
A failed login attempt should never repopulate a password input, as it can be combined with an XSS vector to scrape user passwords. When login returns with failure, the password input should be immediately cleared.