[Login Security] Password 'Show' button reveals auto-complete password

Scurvs

Environment:

Windows 10.0
Javascript enabled
Cookies enabled
Browser size 2481 x 1374

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36

Steps to reproduce issue:

Access MyAccount. If signed-in already, be sure to sign out and perform this step again.
Sign-in, and allow the browser's password keeper to remember the sign-in details.
Sign-out, and access MyAccount. The browser's password keeper should have input the username and password already.
Click the "Show" button in the password field of the login form.

Expected result:

The auto-complete password should remain masked, the field should be cleared when the "Show" button is clicked, or the button should be disabled when the password field is being completed by an auto-complete function.

Actual result:
The auto-complete password is revealed in clear-text.

Nighthawk

I'd never use any browser's built in password saving features. Too risky.

The challenge you'll find is that different browsers handle autofill differently. What may work on one, may not work on another. Deleting the contents of the password field when Show password is clicked defeats the purpose of the button. One big reason I can think of that the button is there is that users are given 5 chances maximum before their account is locked and a call to Telus would have to be made to unlock it.