I am the original requestor for this. It is required by the DISA Application Security STIG that autocomplete be off by default for password fields. By making it off by default, you make it safer for users of the portal, and you save every one of your DoD customers the trouble of having to fix the login.jsp page manually. Portal users that want this on can easily turn it back on so why not make it more secure by default?

-Dave

I don't see any reason why we can't have this. I agree with making things secure by default. I will add it asap.

I am not willing to change this for the following reasons:
 - It's not HTML compliant (autocomplete is not part of any schema)
 - Even more importantly it is a change in behavior for existing customer which is something we don't want to happen in a CP.

I understand the request, but I would also understand that companies want to leave the opportunity to their users to keep autocompletion which is the default behavior is many websites so that it reduces the barrier for a user to login.

At the end there would be 2 camps people for this behavior and people against and we can't satisfy both. With our promise to not change any behavior (except something clearly wrong) I am willing to keep the autocompletion.

At the end I don't see anyone going in production without changing the login.jsp file for look and feel purposes anyway.

Could we change it in the next non-CP release?  I would think most customers would prefer security first and as you said, they'll likely be modifying login.jsp anyhow so can take away extra security then if desired.