Auto Complete behaviour should be disabled in Password form fields
A number of password form fields within the application had the client-side _autocomplete_ behavior enabled.
This is a convenience feature in most browsers that lets users store passwords for different websites without having to remember them. Upon visiting a page whose password was _remembered_ by the browser, the password field will be filled in automatically for the user. This exposes two different risks:
* If the application is vulnerable to cross-site scripting an adversary could craft an XSS payload that abuses the autocompletion feature to steal stored passwords.
* An adversary with local access to the user's environment (e.g. shared office or hotel computer) would generally be able to extract stored passwords from the local cache.
* The password fields in the change password forms
End User UI
Low - Nice to Have