We have ran a few vulnerability scanners over a few of our web apps, and one of the 'low risk' errors it flags is password auto-complete is enabled.
I went to the login page for the said system, which has an initial login page where users need to supply username & password combination, and 'viewed source' - which does show a line in the HTML of:
<p><label for="httpd_password">Password</label> <input name="httpd_password" type="password"></p>
This was the extract from the vulnerability assessment report. My question is, how big of a risk is this? I am not fully confident it does auto-complete anything, as if I log out the system aclose the browser and re-try access I am back to the login page where I need to enter my credentials again. Nothing has been auto completed for me? Is something superseding this so called vulnerability to make it less of a problem, henc the low risk scoring - or is this something to be worried about? I haven't tried every browser to see how it behaves. Is it good practice to turn this off on any web app?