When performing server side validation on a web form, if the user submits an invalid password in a password box, the password box will not have retained the password they entered when they return to the page, meaning they have to re-enter it - frustrating them. This problem can be rectified by making the password boxes 'sticky' so that they behave like regular text boxes and remain filled in when the user returns to the page.
However, there must be a reason that the password boxes' regular behaviour is not to save this information. Does creating a sticky password box pose any kind of security risk to the user? If not, why is the normal behaviour of a password box not to retain the user inputted data if it improves user experience?
Yes, it does not work for security reasons.
An example, you would be able to get the password used in forms even after they were submited and the user have logged out from the app.
The back button of a navigator works recovering the last state of the page before you moved to the next one, so if you just moved back enough until the login form you would be able to see the password used there. Join this with a shared computer and would have a issue.
Or a evil JS code using history.go(-1) can also do this.
You can check a simulation here: http://codepen.io/luizgrs/pen/EHgjf