[khandekars]

Disagree. Even bullets shouldn't be displayed while the user types the password. Why should a security camera in an office know that the user's password length is ten, twelve or twenty nine characters?

[mooism2]

If you have a well chosen password and it is that long, knowing how long your password is won't be enough for the office snoop to crack the password. I'd be more worried about the camera watching which keys I'm pressing.

On the other hand, if I start typing my password too soon after the login box appears on my laptop, it eats the first character. I would never have worked out why I was finding it so hard to login if the password box did not display bullets. (See also dodgy keyboards.)

[khandekars]

Dodgy keyboard is a good point; makes for a compelling case in favour of bullets.

[tezza]

Security cameras can just record the keys that you type the password in.

If you cover your hand, the problem space is still small enough to guess just based on where you are covering and how long for.

Only systems that do not use passwords are viable if you are being closely scrutinized. e.g. entering only selected characters from your passphrase.

[khandekars]

Thanks. OT: How do we protect from such snooping? I thought that recording the keys was harder for the cameras since the keyboard would be masked by user's height or a partially closed tray. E.g. in a cyber cafe, the keyboard normally is below the tabletop in tray. This is also true of many companies in India, where they use desktops.

[makecheck]

Actually, password fields often display an incorrect number of bullets (maybe not while the user's typing, but after they're finished). The idea is to also mask the password length.