Environment Low A password value may be stored on the local filesystem of the client. Locally stored passwords could be retrieved by other users or malicious code. The form declaration should have an autocomplete attribute with its value set to "off". Vega detected a form that included a password input field. The autocomplete attribute was not set to off. This may result in some browsers storing values input by users locally, where they may be retrieved by third parties. AUTOCOMPLETE attribute (MSDN) Using Autocomplete in HTML Forms (MSDN)