It´s not in the standard yet, but we´ll add an admin setting to remove the 'Stay logged in' option on the login page. If you can wait a bit, it will be included in REI3.6.
Regarding the second point, this is tricky. Because there is no unified standard, and because browsers want users to control autofilling of passwords, its usually not up to the web app to decide this. There are many, dirty workarounds, but these come with their own drawbacks. The clean solution, if you want to disable autofill for users of your REI3 instance, is to manage browser settings via mechisms like
Here are some resources for how to configure this in Chrome: link 1, link 2
Even if we could implement a hack to block browsers from autofilling passwords, as long as there is no standard, an updated browser can circumvent it in the future. This has happened before, with attempts to use the autocomplete property, which is nowadays widely ignored by browsers in regards to disabling autofill.