Bruce Schneier comments on this:

»www.schneier.com/blog/archives/2···_co.html

said by NefCanuck :

Honestly, given the way that most sites require you to confirm your password and the fact that most browsers allow "remembering" the login/password combo per user account, this makes zero sense to me.

Unless you are constantly using other machines and even then there are programs to assist, like RoboForm for instance.

It is, as others have expressed, a major security hole that isn't needed (in addition to all the other security holes that are already present, including the nut attached to the keyboard :D)
NefCanuck

said by OZO :

You're right, it's possible to change web page code. There are some problems though.
• Who knows better the way to enter password, web master or person who enters it? I think it's the latter one. He may look around and decide that it's secure to type in password in clear text. But what if he must to enter it covered with *** and page contains "text" type of filed?
• Some people want the browser to keep passwords for them. It's not secure and I'd not recommend it, but that's what they want. I guess browsers save those value for fields with type "password". But if web developer will omit this type in forms - it may change the way how passwords are saved in browser.

So, I think the way how to enter password (secure or insecure) should be in hands of user who actually does it.

said by JAAulde :

Further, a site developer could even add a way for user to toggle the masking on and off via client scripting which can switch the field type.

said by JAAulde :

There is no change needed in browser code as far as this behavior goes. If a site operator decides that he is OK with possible over-the-shoulder password lifting for accounts on his site, he can use an input field of type "text" rather than type "password". The browser behavior of masking is the only difference between the two field types, and should be left as is such that the option is available.

said by Mele20 :

Is it a function of the browser?

said by Anon users :

Just DON't do it IF... you are in London streets... especially enjoying WiFi in a outdoor cafe :)... there are THOUSANDS of security cam zooming on your unmasked password :)

said by pog :

edit: Was being a bit sarcastic above... however, since masking is a function of the browser (right?), it could become a user preference. It needn't/shouldn't be up to site operators.

said by antdude :

"Usability suffers when users type in passwords and the only feedback they get is a row of bullets..."

What do you guys think?

said by EGeezer :

How about setting a default which can be overridden depending on the user's or administrator's preferences or requirements?

Now there's an idea..

Well, that's why applications should use standard controls. There is no need for different implementations of GUI control sets.

Usually it's s standard control (type Edit Control, flag Password) and therefore it could be changed in one place (including this additional feature to show password in clear text or cover it with ***). Are you asking where settings should be kept? In registry, perhaps. In HKLM hive for all users, HKCU for particular user...

said by nwrickert :

I'm wondering what people are talking about here. Where would a default be set?

How about setting a default which can be overridden depending on the user's or administrator's preferences or requirements?

"Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures..."

said by EGeezer :

How about setting a default which can be overridden depending on the user's or administrator's preferences or requirements?

said by Kilroy :

The only purpose served by masking the password is to reduce the over the shoulder loss of passwords. My experience has been that it isn't needed. Now, if clear text passwords became the norm would that situation change? Unknown.

I have to agree that it is an issue on mobile devices. I have a Blackberry with the multiple letters per key and entering any password is painful.

For the most part I'd like to see my passwords as I type them, but it doesn't really matter since masked passwords are what I'm used to working with.

More importantly, there's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.