TBH, I couldn't find a better place to ask and a better title to the topic,
it's all perfectly fine
Are passwords handled by IP (since it didn't ask besides I didn't store cookies)
or by HFS session (because of previous login and I didn't close HFS)?
if i'm not wrong, password is currently handled in 2 ways in HFS: both the old stupid http authentication, and cookie.
When you use incognito it should not use information not coming from the incognito, and also not save incognito stuff after the browser is closed.
I use Chrome, and chrome will store incognito stuff all incognito windows are closed.
The only thing that comes to my mind is that you may not have closed all other incognito's, and so your browser decided to not "forget".
Try complete quitting to be sure.