At the recent UPA conference in Portland, I attended a session that was on best practices in the registration process. The talk was okay, but the conversation around it was more interesting. One of the things that got raised was how users had problems creating passwords when the system changed the password text to ****. People thought it was for security if you were in a public place, but then Stephanie Rosenbaum piped up and told us the real history. Apparently, this was a holdover from old word-processing machines that created a paper receipt of everything you typed. In other words, we've developed a standard based on an old, out of date technology!
Jakob Nielsen commands that we stop using password masking in his most recent alertbox article. He points out that as we are moving to a more mobile device-centric world, misspellings and mistyping becomes more common. This is a real problem for masked passwords because the user won't know that they've made an error until the password fails. He does offer a carrot to those who want to keep masking: make it optional and let the user decide.