To me this sounds like a crazy PCI Compliance related rule; and someone who doesn't understand anything about the PCI Compliance process or brute force hacking made the tweet.
When I ran a web-site with an e-commerce store that accepted credit cards; I was required to have PCI Compliance scans done.
One of the things they had me do was turn off the autocomplete on the password field with autocomplete="off". I have no idea how that makes things more secure.
A lot of the things they made me do in order to be PCI compliant made no sense to me. I think I spent a week trying to convince them that my "error" page which showed up when someone mistyped a URL was not a security risk and was not something I should remove.
autocomplete=off does not prevent you from using keepass, it prevents your browser from storing your password in your HD in plaintext.
It's arguable that it's not the website's decision where the user caches it's passwords, but in high security environments I don't think it is an overkill.
I doubt the autocomplete browser feature applies to password entry. It would freak people out if their browser started suggesting the password as you typed.
It does apply for the username/email field, though.
For a password field, "autocomplete" doesn't mean to suggest candidate completions, but rather to prefill with the password part of a previously saved username-password pair, and to offer to save such a pair (or update an existing one with a newly entered and different password) when the form is submitted. Giving the field an "autocomplete" attribute with the value "off" disables this behavior, which matters for PCI compliance because it forestalls browsers from storing the password when they might do so insecurely.
When I ran a web-site with an e-commerce store that accepted credit cards; I was required to have PCI Compliance scans done.
One of the things they had me do was turn off the autocomplete on the password field with autocomplete="off". I have no idea how that makes things more secure.
A lot of the things they made me do in order to be PCI compliant made no sense to me. I think I spent a week trying to convince them that my "error" page which showed up when someone mistyped a URL was not a security risk and was not something I should remove.