I agree, this should be a user choice rather than site-specific.
The HTML 4.01 spec doesn't dictate how passwords should be obscured, although it does suggest asterisks. I think it would be reasonable for browser vendors to provide an alternative means of obscuring passwords.
If the PCI auditors aren't happy with this, and given the leniency of the HTML 4.01 spec (I haven't checked any other specs), should they take this up with the W3C?
The HTML 4.01 spec doesn't dictate how passwords should be obscured, although it does suggest asterisks. I think it would be reasonable for browser vendors to provide an alternative means of obscuring passwords.
If the PCI auditors aren't happy with this, and given the leniency of the HTML 4.01 spec (I haven't checked any other specs), should they take this up with the W3C?