[jtheory]

Oh, please no one do this!

Two main points -- masked passwords are a very standardized UI convention, so everyone has a strong assumption that passwords will be masked, even in situations that the author hasn't considered (when yes, in fact lots of people will unavoidably see your password), and second, there are common situations the author hasn't considered.

Most of the meetings I'm in nowadays use screen sharing in some way; that means my screen is intentionally large & visible enough that plenty of other people can see exactly what I type. I do need to occasionally sign into something, which gives away my password lengths but that's it (and that's not too serious; I use a password manager so they're long & random).

Pair programming? A manager authorizing some action for an employee? Any kind of demo, or giving technical support? Training?

There are lots of reasons why someone else would be legitimately closely watching what I type. Masked passwords are not an archaic holdover from mainframe days.

That said, the option to show password text is useful, for all the reasons mentioned -- this should not be site-specific (ugh, I can imagine the "show password text" being just to the right of the password field, so username-tab-password-tab-enter will show the password...), but a button in the toolbar would be nice.

[BWStearns]

I personally would prefer the option to mask password vice option to show. In all of my office environments I've had to log onto things in front of people. Universally they look away as a courtesy, and this is with passwords masked. If I was presenting on the overhead I would click the mask button. The pros probably outweigh the cons on this one as long as the option to mask was presented.

Also, below: gweinberg had a good point: the people who you should fear shoulder surfing from are not the ones who you would want to type a password in front of even if it was masked.

[plorkyeran]

If you present things on a projector on a daily basis, you would probably do a good job of remembering to click the mask button (but having to click the mask button would probably outweigh the occasional convenience of not having to click the reveal button), but people who present things on a projector only occasionally and log in entirely by reflex will frequently not.

[BWStearns]

Computers like most other things in life offer opportunities to screw up and engineering things requires a tradeoff between babysitting and general utility. I think the potential damage in the case above (the occasional presenter has to change a password afterwards) is less damaging than enabling most people to choose better passwords. Your coworker is unlikely to misuse that information. More likely: you have a shitty password and someone breaks a stolen hash because 'Pa$$word' isn't really that creative. I view accidentally showing your password briefly to coworkers as on par with accidentally having an embarrassing email up when you flip on the projector: unlikely to cause long term harm, slightly blush-inducing.

Edit: not implying that we should set up security procedures based on implicit trust of those we work with, but if you're talking about a global internet wide convention then likelihoods are more informative than exceptions.

[tedunangst]

Replace "change a password" with "change all your passwords" and it's a lot less fun.

[omonra]

I am willing to live with this case (some random person who is not used to presenting on a projector forgetting to mask his password) for MY personal utility.

[jtheory]

This doesn't make sense -- why should the random person suffer at all? Your personal utility would be equally well-served by a browser plugin that made your password fields visible.

It's not technically difficult, so if it doesn't exist, it wouldn't take much to create.

[omonra]

My personal utility would not be equally well-served - because it would involve finding & installing said plugin.

Meanwhile that random person who can't be bothered to click on the 'mask password' checkbox is just someone I don't really care about. His 'suffering' is entirely avoidable.

On a more serious note - I believe the number of individuals who benefit from this change (everybody typing in a password) would receive sufficient benefit to outweigh the cost incurred by the few who would bear the burden (someone giving demonstration and forgetting to click 'mask pw' button).

Or - we might just have a browser setting for it.

[bentcorner]

As an aside, do most people do the "stare away from the screen and keyboard" shuffle when sitting with someone who is logging onto their computer?

I do it (make a point of not facing the keyboard & screen of someone typing in their password) as a point of politeness, however in retrospect I find it a little odd. I've noticed other people doing it too (and yet when there is a presenter logging into a machine, nobody cares as much).

[mildtrepidation]

Yep, definitely. In my opinion it confirms a very basic expectation of trust between you and whoever's at the keyboard, assuming they're astute enough to notice (and concerned enough to care). If nothing else, it's a simple expression of courtesy.

[sixothree]

I agree that this is a horrible idea in certain contexts. But for choosing a password the first time this is an excellent idea and would have the same intended effect.