As of Sep 21, 10:20 UTC, some report that Pandora "fixed" the issue, but this is not true. The form is not automatically populated anymore with the password, but the password is still saved in the local storage.
As of Sep 21, 11:35 UTC, it appears that Pandora removes the password from local storage when logging off. Passwords can still be stolen if users do not explicitely log off.
I put the Pandora password decryption utility up on pandorhack.zorinaq.com