That 100 hours you spent studying the web and security were wasted.

For Websites that don’t offer an option to reveal passwords (most) there are simple JavaScript solutions.

The real issue is that real users prefer to see their passwords because it’s more comfortable. They almost completely disregard security in behalf of not having to check their caps lock key (which by the way is a problem easily fixed by informing the user via a decent error message that it might be turned on) or retype their passwords. This same users save their passwords on a computer and then leave it unlocked where anyone can browse their history, log into one of their accounts and then wreck havoc. We can’t protect the user from all possible cases of wrongdoing, but using masking we do our best to avoid some of those cases.

While I’m going at it, most complains seem to come from people that have to deal with “support”. So instead of getting 50 calls a day, you get 200 calls because of stringent password policies. And you believe that its a waste of time, waste of money and waste of resources. So you want unmasked passwords so half your staff gets laid off and you go back to getting only 50 calls a day, but, alas, the problem with that is that now your calls are not about resetting passwords for people that forgot them. Now you get calls about people complaining that their passwords not only do not work, but someone wrote insults on all their friends facebook walls and made a banking transaction moving funds to some random account on a Cayman Islands bank.

If you have to deal with software security you need to cover your and the user’s ass. Why are you even thinking about making security comfortable? Let’s not search for bombs in airports, lets just let them blow stuff up. Let’s not stop and breathalyze potential drunk drivers, let them crash into schools. Let’s NOT put wet floor signs in the cereals isle, let the old lady break her hip when she falls. Let’s not protect the users in any way, since they prefer being on their own and it’s more comfortable for them not to listen to us.

Again, why are you even thinking about making security comfortable? It’s NOT. Get over it and do your job people… and do it correctly.

Alternatively, you could also take something similar to how Apple handles password entry on the iPhone by revealing only the last typed character and then masking it on the next keystroke or after a specific time (whichever comes first).

Either way, you get the benefit of unmasked passwords but the comfort and security of password masking.

This is how password fields work on the iPhone, so you have a momentary visual confirmation of using the correct key, without the insecurity of the whole password remaining revealed. In use it feels both natural and elegant.