Let me just say, as retarded as I think this whole masking kerfluffle is, play with it or don't play with it, but if you don't mask passwords in your login box, expect to spend $10,000-$20,000 extra to your PCI auditors (and then restore password masking) when you decide to accept credit cards.
I don't think anyone has suggested individual sites should override the browser behavior.
The interesting question is whether client software (browsers/add-ons) should offer another option. And if it did, would the Payment Card Industry auditors demand a site override the user's choices, for example by simulating a masking password field outside the default HTML widgets?
I agree, this should be a user choice rather than site-specific.
The HTML 4.01 spec doesn't dictate how passwords should be obscured, although it does suggest asterisks. I think it would be reasonable for browser vendors to provide an alternative means of obscuring passwords.
If the PCI auditors aren't happy with this, and given the leniency of the HTML 4.01 spec (I haven't checked any other specs), should they take this up with the W3C?
I think it's an excellent idea to spend tens of thousands of dollars to make a stand against the security industry with your startup's web application, and I too think password masking is sure to be their Waterloo. To the barricades!
PCI stands for "Payment Card Industry", and is a shorthand for the PCI Data Security Standards, which are a set of rules that every vendor above a certain size has to follow in order to process payments with a Visa or Mastercard.
PCI auditors are people working for one of the 20-30-odd firms that are certified by Visa to audit compliance to the PCI DSS.
