Fair points from Nielsen: how easy is it for someone to look over my shoulder when I’m tapping in my password into SplashID on my phone? Not very: which is why it has a show password option. Why shouldn’t this be the default on the web. To work effectively, it should be a per site setting that the sites remember for me. Then again, how many people have four standard passwords that they use for different things (with the most secure having the least commonly used and hardest to remember passwords)? If someone catches you logging in to Facebook and you use the same password for your bank, then you might have a problem.