Personally I get new passwords everyday because I have to reset them when I can't remember the old one from day to day.

Get a password manager then, you'll only need to remember one password. Take it with you on a USB drive or mobile phone and you can use it anywhere.

Great point about how masking encourages the same passwords.

Show me some empirical evidence that this is even true. Heck, show me anecdotal evidence. Of all the reasons I can think of for using the same password, input masking is not one of them.

And as for using passwords in public places, if you're logging into your online bank account while sitting at a Starbucks, you've got bigger things to worry about than masking your password.

Like what? SSL prevents anybody snooping the wireless from seeing the password or any part of my online banking conversation.

Of course, either way, at some point a lot of internet idiots will unmask their passwords, a big compromise will happen, and Congress will be moved to impose liability on the site operators to save the fools from themselves.

Users, it may be a pain in the rear, but those sites that offer masking are doing it right.

If they offered it, I'd agree. Unfortunately, they force it, in all situations.

And as for using passwords in public places, if you're logging into your online bank account while sitting at a Starbucks, you've got bigger things to worry about than masking your password. "Security for Dummies" comes to mind.

The risks are obviously ranged - logging into your bank or a SaaS app like SalesForce is different than leaving a comment on a blog.

Still, you may use the same password on both, so it's best to be safe.

Users, it may be a pain in the rear, but those sites that offer masking are doing it right.

In short, though, we need more Internet security, not less.

Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed.

Maybe this is true for him, but certainly not for me. I often have people looking over my shoulder when I need to log into a site. I make sure they are not looking at my screen or keyboard when I type my password (which I can type without looking at either), and I always look away when someone else is typing theirs.

Those are the words of someone too lazy to concern himself with security.

Exactly, this is the kind of person that inspired the creation of Vista's "Cancel or Allow" dialog, because he couldn't be bothered to read the warning about an attachment being a known virus that would destroy his computer before he pressed "Ok". He's also the kind of person that will disable that dialog and complain when a known virus destroys his computer.

Since the masking is a function of the browser, all that is needed is an option in the browser's preferences that a user could check or un-check to enable or disable masking on all password forms.

Firefox + Web Developer Toolbar has this option for me. I wouldn't be surprised if there were a more basic Firefox extension that did just this.

I've never understood why so few applications, both web and standalone, give the user the option to choose whether or not to make the password visible.

I agree. But it's even easier than that.

Since the masking is a function of the browser, all that is needed is an option in the browser's preferences that a user could check or un-check to enable or disable masking on all password forms.

Voila! Everyone's happy!

This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)

That's quite the assertion he's making. I'd be shocked if people are actually "discouraged" by password masking (and note that he doesn't stoop to providing anything more than a conjecture on this point). Does he honestly think that a non-negligible number of people are so flabbergasted by technology that, when faced with the prospect that their login may not work the first time because of the possibility of mis-typing their password and never seeing the mistake, they just can't bear to try to enter a site? If that's all it takes for him to give up, I'd say it's a personal problem that requires some serious professional help.