If you had a pentest and it had a finding of 'Password autocomplete enabled', it was probably a shitty pentest
autocomplete=off
- Browsers have ignored this field since 2014, because it’s a stupid thing to include in a threat model.
If you don’t know what I mean, check out https://hackerone.com/reports/7954 for an example.
Notably, this has been ignored since 2014 https://chromereleases.googleblog.com/2014/04/stable-channel-update.html - which seems to be ignored in a lot of bug bounty submissions.