Comment 85 for bug 194472

Can we put the "shoulder surfer" myth to bed once and for all?

First of all, if your password is of any considerable length, there's no way the human eye can tell the difference between 11 asterisks and 13 asterisks in the blink of an eye. And if your password is 12 or 13 characters long, it'll take nearly forever to crack anyway if length alone is the only thing you know.

Secondly, anyone standing behind you can count keyboard clicks better than counting asterisks and have the bonus of seeing at least some of the keys you're pressing or at the very least which sides of the keyboard you favor at different parts of your password.

If someone is standing over your shoulder, not getting visual feedback doesn't mean staying secure. Shoo that person away, seriously.