Hello all, I dont think my comment in the tracker will be seen so I wanted to bring it up here and see what people thought:
Previously this ticket removed a feature that added autocomplete="off" to the login form:
https://tracker.moodle.org/browse/MDL-55476
This item is actually a big headache for compliance related reasons.
Burp Security Suite identifies forms with autocomplete enabled as a warning. These are all shown as "Password field does not have "autocomplete=off"" warnings.
These warnings turn into security issues on our monthly review. These monthly reviews have to be turned in to the Federal Government, which is unhappy with the flagged issues. Previously we could just enable this setting, and the problem would be solved.
Regardless of whether or not browsers respect this setting, that is ENTIRELY the clients issue, not Moodles. Moodle has no business telling clients what their browsers do or do not respect. There are configurations of browsers within secured federal government environments that DO respect these settings, and removing them is just playing pretend that there isnt a group of users that this impacts.
I would like this removal to be reconsidered.
What do people think?