It is common for websites to remember the username input value after an invalid login attempt but not the password input value.
Take SE for instance. When I attempt to login with an invalid password:
The response contains my username but not my password:
Is this a security feature or does it relate only to user experience design?
I am not sure because some login forms, particularly those who send the credentials asynchronously, do remember the password.
When the credentials are wrong, the server sends you back a page containing the filled username and perhaps also the password. That should be done with https, and caching headers asking not to store it, but there's the possibility that the error page that was sent with the provided password in the source is stored somewhere (browser cache, an intermediate proxy…).
When there's an asynchronous login, the page itself is not reloaded, and thus this issue doesn't happen.
With a login form, you pretty much always want to blank the password, as the user will have to retype it anyway since it was wrong (and is unlikely to know which was his typo).
The debate on whether to-blank-or-not-blank the password field usually arises when dealing with the registration form. There it is likely that an unrelated field is rejected (eg. username taken) and the user needs to provide a new username (which may turn out not be available, either) and the password and password confirmation. That makes an unpleasant UI. And there there are different opinions on which should wine.
When attempting a login and entering the wrong password, I would state that there is no reasonable reason to keep the password entered - the user can't see the characters, and thus can't see any mistake they may have made, nor correct it, so they'd have to start over anyway.
Additionally, there is a reasonable reason to not store invalid passwords for any amount of time beyond the time required to figure out it's wrong and overwrite the RAM it's stored in, and that is that one very common error for people with multiple passwords is correctly entering a password into the wrong site; i.e. I put my Bank of England password into Stack Exchange by mistake, or enter my work password into the Bank of England website.
Therefore, since the user experience is not helped by retaining a non-working password, and there are legitimate security issues with keeping it, on a login form, it should always be blanked out.
