login form in admin/appearance/preview sends values to URL
Go to admin/appearance/preview
, type anything and submit the form, it will send the field values as GET parameters and make them visible in the URL bar.
Depending on browser configuration these fields might be filled with actual credentials, and a wrong click can reveal a plain text password to anyone looking at the screen. It would be safer to disable the submit.
By the way the preview page feature is super useful!