This tip comes from Pete Freitag:

Always, always set autocomplete=”off” in the input tag. For example:

Otherwise, if people have the form completion feature turned on their credit card number will be stored in plain text somewhere on the computer (in the registry, or elsewhere).

Link

Upside
Protects people using credit-cards from public computers like in library or cyber-cafe.

It works on Internet Explorer and Mozilla group of browsers.

Downside
Breaks XHTML validation. I agree with Pete that it is a good enough reason for writing invalid XHTML code. User safety comes first. If the standard is slow to adapt well…