(no title)

I'd add: "Use browser-native autocomplete features for both 'email' and 'password'"

Also you can go pretty wild with a sign-up form's password field validation, because you may want to indicate to the user:

- how strong his PW is

- what seperate requirements are currently fulfilled (e.g. 1 number: yes, 1 special character: no, ...)

- if he needs to pass all requirements or not (and if not: how many he still needs to fulfill)

- if his password contains strings from other input fields you may deem insecure to be part of a PW

- generally more than just an error-state, but also a valid-state, or even a warning-state