Browsers have recently started autocompleting usernames and passwords into username and password fields where they have not previously been saved in the browser's autocomplete settings. Our users have encountered issues with this behavior when they are adding/editing content or a setting, and do not notice these fields being autocompleted where they should not be, cause those resources to break. For example, when adding an LTI tool directly from the activity chooser, the credentials should be pulled from the sitewide settings; however the user's browser settings are being input and saved inadvertently. In addition, when an admin user was changing a config for a plugin with a username field and a password field, their saved credentials were autocompleted and saved by mistake, and the particular plugin broke.

Apparently, current browsers are now ignoring the autocomplete attribute when set to "off" or "false". However setting autocomplete="new-password" to the password fields resolves this issue. This attribute can be added directly to the admin/templates/setting_configpasswordunmask.mustache template.

I'd be happy to push a patch if this proposed fix is acceptable. Thank you!