It can be turned off, but IMO it's much better to keep it on. That way you can have unique passwords for every single website, which is important when most sites have your username set to your e-mail address. Prevents credentials a hacker gains from successfully compromising one site being used to harvest your accounts on others.