[skip]

The reference implementation seems very buggy--moving my caret and having inconsistent behavior.

I would certainly be hesitant to type my password on a website which is handling the field like that. Let the browser vendors implement this option at the application level (as an option, probably, so users can enable/disable on all websites).

[rdj]

I don't understand why you would have a problem with this. The javascript that makes this happen, does run in the browser, on your desktop, or as you put it, the application level. Regardless of how your password is displayed when typed (either plaintext, starred, or a combo), the value of the field is sent as plain text to the web server (if not ssl). This demo attempts to solve the problem of shoulder surfing vs usability, not building a more secure login mechanism.

[skip]

Well from a technical standpoint you are correct. Although, if I see buggy/weird behavior on a website, right away I question what sort of hidden unsavory stuff is happening on the server side.

But there is an issue even if the implementation is totally seamless and bug-free. Maybe one site implements this slightly differently, and maybe some sites have a checkbox to clear the mask, or other sites show me each character for a fixed delay (e.g., character disappears after 250 ms or something), etc. In each case I must make some accomodations to how I expect a password field to behave. On the other hand if it is at the application level then there is opportunity to evolve the feature uniformly across all websites--and also give the user a single option which controls the behavior.