diff --git a/core/modules/user/lib/Drupal/user/AccountFormController.php b/core/modules/user/lib/Drupal/user/AccountFormController.php
index 512f703cf678af05f0fbc3b1cf208e26630f5668..7a1001d9fa63086b9bc533b2ba9c4ceb6fc6f256 100644
--- a/core/modules/user/lib/Drupal/user/AccountFormController.php
+++ b/core/modules/user/lib/Drupal/user/AccountFormController.php
@@ -95,6 +95,9 @@ public function form(array $form, array &$form_state, EntityInterface $account)
           '#access' => !empty($protected_values),
           '#description' => $current_pass_description,
           '#weight' => -5,
+          // Do not let web browsers remember this password, since we are
+          // trying to confirm that the person submitting the form actually
+          // knows the current one.
           '#attributes' => array('autocomplete' => 'off'),
         );