It's clearer if the form clears itself through a reset rather than
waiting for it to happen later. This has the advantage of getting
the password out of reachable memory sooner.

Extending the scope rather than erasing its keys and replacing it
with the base scope means the Auth controller can clear the form
fields without clearing the session data in the scope.