Password is already compromised, so this is a worthless step. And only seeing part of the password may cause them to think it's largely still secure or something. (Some people don't understand wildcards.)
Since their password is already compromised publicly on the Internet, it's silly to worry about shoulder-surfing. In fact, if someone shoulder-surfs, and sees the password, the user is even more encouraged to CHANGE it.