I think this is worth sharing.
I have a page that allows customer to modify their account password. The password field and ‘password again’ field are pre-filled with user’s password (encrypted). (I know this is not the best practice and they should be left blank – this is a purchased software package).
What happens is that if no change made to the password, the client script that verifies password match always report unmatched password. The HTML source code does show both password fields are the same. But somehow this code
always gets user’s real password, not the encrypted one in the HTML source code. It turns out that it’s the Firefox’s “Remember Password” feature automatically puts in the remembered password, regardless the specified value in the source.
Lesson learned: use different ID for login and password change screen. However the best practice is to leave it blank and not to update it if password is blank.