The page login.php:
AUTOCOMPLETE attribute is not disabled in HTML FORM/INPUT element containing password type input. Passwords may be stored in browsers and retrieved.
This strategy can facilitate brute force attack.
Solution:
Turn off AUTOCOMPLETE attribute in form or individual input elements containing password by using AUTOCOMPLETE='OFF'
Reference:
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/forms/autocomplete_ovr.asp