Issue #2602 added desirable security functionality to the Password Element including:

• If an Edit form is built from a database object, the password will automatically be excluded from the data sent to the browser

It was later noted that the password attribute (frequently used to identify a password field) is not considered by the Factory:

array(
    'name' => 'something',
    'attributes' => array(
        'type' => 'password',
    ),
    // ...
)

This results in a \Zend\Form\Element instead of a \Zend\Form\Element\Password. To get a password element, the user must explicitly identify the password type in the parent array:

array(
    'name' => 'something',
    'type' => 'Password',
    // ...
)

To be fair, the distinction is real and could theoretically be a desired behavior.

• At minimum, I would recommend adding a special warning in the documentation, possibly under Factory-Backed Form Extension.
• However, I also believe this is an obvious spot to "nudge" users by making the most secure assumption (password attribute intends to create a password element). Obviously, a user could override this setting by explicitly asking for a type => text.