And really, if someone you don’t trust is looking over your shoulder then they can figure out your password regardless of the characters being obscured on screen. First, unless you cover your keyboard or are an incredibly quick typer they can easily see which keys you hit. Furthermore, since the number of dots is equal to the actual number of characters in the password in almost every case I’ve seen, they will at least know how long your password is, which makes brute-forcing it a lot easier.
My second pet peeve is all the password restrictions. I don’t really mind if you require me to have 25 character password with upper- and lower-case letters, plus at least one number and one punctuation mark. Though really, does your lolcats site really require that? But, if you do, for the love of God tell me that requirement before I fill out your massive signup form only to have it rejected because my password isn’t ‘secure’ enough. Likewise, always put a reminder about your crazy requirements on your login page. I will invariably attempt to login with my usual, simpler passwords a million times before realizing that you made me make a crazy long password just for you.
Who’s with me?