Input type "password" with a value from the previous sender after verification failure

I am creating a walker account creation page for our site. I always cleared the default = "for type input =" password "out of paranoia after the user submitted the form, even if both passwords match and are valid. I started thinking about this after our designer asked me if there was any -that's the real point for that. I can of course repeat passwords in the value = "" field after submitting if they are not a validation violation, but do they have any vulnerabilities associated with this approach? We default to using https on this I know you can do an html rewrite to change the input type so that you echo in an unscaled input, but it looks like it can only affect the user locally.

Form example:

<input type="text" name="username" value="<?php echo $username; ?>">
<input type="password" name="password1" value="">
<input type="password" name="password2" value="">

      

        
        
        
      

    

In submit mode, check if the username matches the correct email address, matches the password, and the passwords exceeded our minimum requirements. If the email address is offending, but the passwords aren't, can I add ...

<input type="password" name="password1" value="<?php echo $password1; ?>">
<input type="password" name="password2" value="<?php echo $password2; ?>">

      

        
        
        
      

    

... and don't worry? And no, I am not using register globals. I pull them out of $ _POST manually and do sanitization first.

Josh