I’ve written up a little page on password masking to read at your convenience.
This was born out of an article written by Jakob Nielsen titled “Stop Password Masking“. In it he argues that masking passwords does little to really prevent password theft, but does quite a lot of harm in the form of user errors as they are unable to tell if they’ve made a mistake in typing their password. Security pro Bruce Schneier weighed in as well, initially agreeing with Nielsen, then rethinking his ideas a bit.
I decided to see what we, on the web side of things, might be able to do to make it a little easier on users, but still stay secure.