There is no argument from me that when it comes to Information Security, Bruce Schneier is a consummate expert. I have learned a lot by reading and considering Bruce's essays on different matters, however I have found that I now disagree with at least one of his opinions. Bruce feels password masking is unneccessary; I disagree. (Update 7/7/2009, Bruce has admitted he was probably wrong.)
Beware the Unskilled Evil-Doer
In his essay, Bruce makes the point that a truly skilled criminal can simply look at the keyboard and note what keys are being pressed, thus masking passwords ends up providing minimal cost to benefit ratio due to the problems people have typing without being able to see what it is they type.
While I can see some validity in Bruce's view, a less skilled crimminal will greatly benefit from not masking passwords as they are typed. It is substancially harder for a person to watch someones fingers as they type a strong password and determine with any accuracy what is being typed than it is to simply read and memorize, or even photograph, characters printed to the screen.
So the question is, what sort of evil-doer would the average person most likely encounter? A highly skilled crimminal or one with less abilities? I'd argue the latter is the case, thus masking passwords provides a good benefit with the trade off being a person sometimes has to enter their password twice due to fat-fingering the keyboard.
In closing let us accept that if a person really wishes to determine your password, masking a password as it is typed will provide very little protection. However it does protect you from a script kiddie level crimminal or casual viewer, which was the original intention of password masking.
