HTML Input of type text for passwords
This is a vulnerability. If users have JavaScript disabled, their passwords will not be changed to dots, and thus they are vulnerable to shoulder surfing.
As user @Question Overflow points out in their comment to your question, clicking outside the field would also display the password. Which means a co-worker could see the user's password by taking their mouse for a moment - even accidentally.
The site may be following the guidance in the article "Stop Password Masking", posted by Jakob Nielsen on June 23, 2009.
Summary: Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.
Password masking addresses the shoulder surfing attack at a substantial cost in usability, especially among non-technical users who do not use a password manager. The site may have weighed the risk of shoulder surfing compared to other attacks on users' credentials and deemed it not worth the loss of usability. I've seen some other sites that use a JavaScript control to toggle the password field's type
attribute between "password"
and "text"
, letting the user make his own tradeoff between usability and security against shoulder surfing.
The site in question is described as not quite following this advice. Perhaps the engineers were following this advice but then management requested that it be changed. Or perhaps they were trying to emulate the behavior of mobile devices that briefly show the last entered character in password fields.