I have a typical login form with username and password. When a user enters this information, their web browser will save the username and password for them (assuming their browser is configured to allow this). Suppose the username is “User01” and the password is “Password01”.

Now suppose the user changes/resets their password to “Password02”. The web browser doesn’t recognize my password reset form as a login form, so it doesn’t update/change/save the password in the user’s web browser.

So when the user leaves my website and comes back at a later date, they come to my login page. They enter their username “User01” and it autocompletes the wrong password of “Password01” but the user doesn’t know this because they just see ****. The user eventually locks their account then calls up our customer service to yell at us.

<form action="updatePassword.php" name="frmPasswordChange" method="POST">

<label>Old Password</label>
<span class="textbox"><input type="password" maxlength="14" size="14" name="oldPassword"></span>
<br />

<input type="hidden" name="username" value="User01">

<label>New Password</label>
<span class="textbox"><input type="password" maxlength="14" size="14" name="newPassword"></span>
<br />

<label>Re-enter New Password</label>
<span class="textbox"><input type="password" maxlength="14" size="14" name="newPasswordReEntered"></span>
<br />

<span class="buttonHolder">
<button type="submit" class="styledButton updateButton">Save Password</button>  
</span>

</form>