There's no clear-cut answer to this, as it's going to vary from browser to browser. On occasions where I can such a situation, the browser (IE or Opera for Win) password fields are cleared out, but I can't easily verify this.

IMO, I would never transmit back a password, and use whatever is needed to remove it from a form; eg if you ask the user that wants to change their password to type in the old password and the new password twice, I would send neither back if the new password verification failed, making sure the user enters both old and new again. I know you can do this easily with CGI.pm, and would suspect you can do it too with that module.

---

Dr. Michael K. Neylon - mneylon-pm@masemware.com || "You've left the lens cap of your mind on again, Pinky" - The Brain