In case you missed it, both IE 11 and Chrome recently made a change and they now ignore autocomplete="off" on password input fields within HTML pages. This attribute is something I've always recommended for input fields that contain sensitive data so that browsers won't store the data locally where it could be compromised. Apparently the changes were made solely because lots of people are using password managers. Here's a snippet from a messy MSDN blog post that tries to explain the reasoning for changing IE:
Password Managers improve real-world security, and the IE team felt it was important to put users in control. Users rely on their password manager to permit them to comfortably use strong passwords. Password managers encourage strong, unique password creation per site, but unique, strong passwords are often difficult to remember and type on touch devices. If the browser doesn't offer to autocomplete a password, the user assumes that the browser is broken. The user will then either use another browser that ignores the attribute, or install a password manager plugin that ignores it.I'm not sure I agree. Moving to another browser would not have worked since they all honored the attribute until recently. It is also stated plainly that users could use a password manager plugin to overcome the restriction.
And here's a snippet from a message posted by the Chrome team with their reasoning:
We believe that the current respect for autocomplete='off' for passwords is, in fact, harming the security of users by making browser password managers significantly less useful than they should be, thus discouraging their adoption, making it difficult for users to generate, store, and use more complex or (preferably) random passwords.Maybe I don't understand the decisions because I don't use a password manager. Either way, I'm glad all browsers continue to honor autocomplete="off" for non-password (type="text") input fields.