Do not let browser save the password

I can not say, but I believe that in most browsers if putting in the <form> tag should work:

<form action="baz.aspx" method="post" autocomplete="off">

Of course regardless of this, this is something user control, it is a facilitator, I think it should be user choice whether or not he wants to save.

Of course there are some workarounds that might solve the problem, such as using a form fault combined with Ajax, that is, you probably would not even use asp:TextBox runat=server for example (should not be within form ):

<div id="meu-form" data-url="foo.aspx" data-location="/dashboard/">
    <input name="login" autocomplete="off">
    <input name="pass" autocomplete="off">
    <button class="logar">Logar</button>
</div>

And in Ajax it would look like this:

var form = document.getElementById('meu-form'),
    requesting = false;

actLogon.onclick = function() {
    if (requesting) return;

    //Bloqueia as requisições enquanto estiver logando
    requesting = true;

    var action = form.dataset.url;
    var loc = form.dataset.location;

    var actLogon = form.querySelector('button.logar');
    var login = form.querySelector('login');
    var pass = form.querySelector('pass');

    //Variaveis que vão para o servidor
    var variaveis = [
         "login=" + encodeURIcomponent(login),
         "pass=" + encodeURIcomponent(pass)
    ].join("&");

    //Ajax
    var oReq = new XMLHttpRequest;

    oReq.open("POST", action, true);

    //Função assíncrona que aguarda a resposta
    oReq.onreadystatechange = function()
    {
        if (oReq.readyState === 4) {
            if (oReq.status === 200) {
                if (oReq.responseText === "sucesso") {
                    window.location.replace(loc);
                } else {
                    alert("Erro: " + oReq.responseText);
                }
            } else {
                alert("Erro: " + oReq.status);
            }

            actLogon = false;
        }
    };

    //Envia a requisição, mas a resposta fica sendo aguardada em Background
    oReq.send(variaveis);
};

Explaining the code:

• The <div id="meu-form" data-url="foo.aspx" data-location="/dashboard/"> will stay in place of the form

The data-url="foo.aspx" must contain the value of the URL that will be used only for ajax

• The data-location="/dashboard/" must contain the destination URL, ie the screen after the user is logged in

• The variaveis should contain the keys and values that will pick up the Ajax page ( foo.aspx is just an example)

  var variaveis = [
       "login=" + encodeURIcomponent(login),
       "pass=" + encodeURIcomponent(pass)
  ].join("&");
  

• Your aspx should only return the text sucesso in the response to Ajax, if the login was correct:

  if (oReq.responseText === "sucesso") {
      window.location.replace(loc);
  } else {
      alert("Erro: " + oReq.responseText);
  }
  

  Otherwise it will display alert with an error message, which you can customize.

No foo.aspx (regardless of the name you give), something like:

context.Response.ContentType = "text/plain";

var login = context.Request.Form["login"];
var pass = context.Request.Form["pass"];

//Faz o login aqui

if (/*Se o login estiver correto*/) {
    context.Response.Write("sucesso");
} else {
    context.Response.Write("Erro");
}

context.Response.End();

Seeing this response from the SO

Failed to set type="password" to input hidden' . It is also necessary that this input comes before the input that will actually be used.

<form>
    <div style="display: none">
         <input  type="password" />
    </div>

    <asp:TextBox ID="txtsenha" AutoCompleteType="Disabled" CssClass="form-control" runat="server" autocomplete="new-password" type="password" placeholder="Senha"></asp:TextBox>
</form>