I, being an advocate of password masking myself found very interesting Jakob Nielsens findings. The password masking is merely a screen protection technique, therefore, when you press enter, the password might be sent as plaintext in HTTP so the password masking wont help much security wise in this case.
Here is the deal, it is true that you need to log into websites when you have potential observers (lets say an airport, a restaurant or similar). In this cases you will feel better if nobody sees what you are typing on the screen (even though, as Jakob Nielsen says, “a truly skilled criminal can simply look at the keyboard and note which keys are being pressed”). As an alternative for users that might need the password masking, he suggests a checkbox so that people can turn on and off whenever is needed. I personally like the checkbox concept too, but not only to drive into security paranoia to some users, but also as a way to help users get used to something new.
Jakob Nielsen talks about password masking as an oppose to the basic usability principles, and that is true, but the problem here is that this has been the norm of any login on the internet so far, being right or wrong is what people are “used to” so we need to “train them” into using something new.
The checkbox idea is a good one and I truly believe it does not add complexity to the form, I would take away the Remember Password checkbox (which is useless most of the times anyway) and visually it wont add anything that will disturb the standard look of a login. I will have the password masking checkbox checked by default so like that you don’t interfere with the user flow and whenever this one gets into trouble he/ she can uncheck the checkbox. As an additional note, I would still use the onkeydown/ onkeypress to check if Caps Lock is on and, if so, display notice (I found it always very useful, not that I ever left the Caps Lock on...).
Jakob Nielsen, also says that he noticed these usability issues with password masking. I personally find the approach from Apple (iPhone, iPad and iPod touch) quite acceptable already which is to unmask the last letter you typed, this is already a good compromise specially since people use these portable devices on the go most of the time. Well done Apple.
As the usability Guru says “Let's clean up the Web's cobwebs and remove stuff that's there only because it's always been there.”