Your client has browser autofill for passwords likely from a password management extension (e.g. LastPass). It's filling in the password when they edit a user because their autofill is detecting it's a password input it should fill. We already set autocomplete="off" (on the input and the form), but password management extensions are set to ignore that by default. They can either clear the autofill so it stops doing that, get in the habit of emptying the password input on every edit, or change their settings in their password manager to stop ignoring autocomplete.