One of the systems I work with was analyzed by a security team and among some security practices they recommended, was the inclusion of autocomplete="off" in elements input of type password .
I would like to know if this would be unnecessary, since browsers already "know" that it is a password insertion field and probably (I think) they will not enable autocomplete .
Example:
<input type="password" name="password" autocomplete="off">
Some browsers implement password management; when it enters a password in the form the browser gives the option to save it, when the site is visited again, the field is auto-filled. What's more, the browser allows the user to choose a "master password" that will be used to encrypt the stored data.
So some browsers do not support autocomplete="off" .
In some cases, the browser will autocomplete to complete automatically, even if the attribute is set to off .
The correct thing your security team should recommend would be autocomplete="nope" . Since this random value is not a valid value , then the browser will give up filling it.
This is a unique customer issue, if the client selects to save the password, the browser will give priority to it.
This is really debatable. I'll be doing a broader reading and I'll be editing that answer.
Bookstore: