So it seems the current consensus is that autocomplete="off" is bad for password input fields:
But does that include the username field? It just seems to me like these come as a pair.
To clarify, I'm asking if autocomplete="off" is bad for username input fields?
autocomplete off is for sensitive information, for example credit card numbers. The exception is the input type password, because modern browsers do not store input for that type, and disabling autocomplete messes with password managers, thus decreasing security.
Usernames are not sensitive information, although there are still good reasons not to broadcast all your users usernames - eg via username enumeration - if you can avoid it (easier bruteforcing or phishing).
But in the case of autocomplete, an attacker cannot harvest all or even a large amount of usernames, but only usernames where they have physical access to the computer or if an XSS vulnerability exists.
The only negative effect may be privacy violations via leaked usernames or email addresses (if they are used in stead of usernames). But if a user is concerned about privacy on a shared computer, they should use private browsing.
Because of this, it is very difficult to argue that there is even a slight security benefit for autocomplete off for usernames. There is however a real usability impact, so I would recommend against it.
