>Using `type=password` is the only way to protect your passwords in the UI. If you use any other mechanism the password will be readable and potentially hackable so I wouldn't recommend doing anything else for password entry.
>
>Secondly you should **never** redisplay a password in the UI after initial entry. Again security - if you display it it's hackable and even if it is displayed with the dots, the password is in the underlying data and hence visible to JavaScript. So never re-display a password even if it's obscured. if people need to make changes the password, either provide a separate form, or dynamically show the password field after clicking a *change my password* button or something to that effect, and when you do, don't display the original password but provide a blank box. For form updates assume the password should not be updated unless it is explicitly set.
>
>Even on initial input forms if there's a validation error it's best to not re-display the password the user entered, but rather force re-entry. Same is true for Credit Cards and is a requirement for PCI compliance (among many other rules).
>
>As to autocomplete/autocorrect etc. all those can be turned off via HTML attributes. However, they shouldn't actually be active in the first place on Password fields. Most likely the behavior you're seeing is some built in or addin password manager that tries to be helpful. But that's not under your control really.
>
>The best approach is to never redisplay a password, which should solve all the issues you are mentioning.
>
>+++ Rick ---
>

Thanks, Rick. I found that 200 characters were actually saved in DB (after fixing it the password displays only correct number of characters masked). I also changed autocomplete="new-password" instead of "off" and this fixed that weird effect of auto complete I was having.

So, I'm OK now with the type="password".