User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0
Steps to reproduce:
We developed a form using the new 'autocomplete="new-password" syntax on a few of its password input fields.
This field allows a user to create new accounts.
For every new user we add, the form suggests the same 'random' generated secure new password.
The password field(s) get populated with the same new random password, setting multiple accounts new fresh passwords to the same value.
Im not sure what heuristics are used to generate the new password, but if there is a generation based on the url/form composition, previous browser settings this might be a security issue. Since it also leaks a password I accepted and stored in my password manager as a valid password before this might be used to re-generate passwords and guess them by manually injecting html into the page, bypassing the firefox master password on shared computers, it would simply give out the same password as the last time someone used that page/domain (not sure what scope we are looking at for the generation) to generate a new password.
We expected the autocomplete functionality to generate a new password on every page-visits, or at the very least no-reuse an already used random password on a second suggestion after the first was posted.