If filling the password in will result in plain text passwords being sent back, you have already lost, because you just submitted a plain text password over HTTP. Similarly, if you're on SSL, it's plain text in neither direction. In either case, sending it back in the form has not changed the security situation.