Personally, I think a check box to turn masking off would be a good idea. At work there's a 40 character password (actually a pass phrase) I sometimes need to use. I probably get it right 50% of the time or less. My password safe (Keyring) on my Palm has an option to mask the password. There is no way I could use the application if I couldn't see the password as I type it.
So, I think the best option in terms of usability is to give the user a choice. If there's no one around, why not allow them to unmask what they type. It might be one less incentive to use bad passwords, and, more importantly, it empowers users.
I think the masking on the iPhone and I understand on blackberrys too, showing the character briefly while you type, is good at least for mobile devices with a non-standard keyboard which is more prone to typing mistakes. In particular on phones with a numeric keyboard - just how many times did I type 4?
"I, for one, would like the option. I cannot type complicated WEP keys into Windows -- twice! what's the deal with that? -- without making mistakes. I cannot type my rarely used and very complicated PGP keys without making a mistake unless I turn off password masking."
I feel like there is a middle ground. Passwords should definitely be masked, for at the very least the sense that it's a secret (us internet people forget how incompetent the average person is on the computer). A middle ground would be a visual password hash. I don't remember where I read it, but the example was a ring of keys with different size keys in different positions. A real world example would be the SSH key pictures. Then as the user continually types their password, they would learn the progression of images, and be able to spot mistypes right away.
We use a long passphrase for our wpa key on the wireless network at my work. Like you, I find it impossible to type it correctly when the password is obscured. My solution is to type the passphrase into notepad and then cut and paste it into the password field. This works since it's only an occasional operation.
This, to me, is ludicrous for a number of reasons, the first and foremost being the fact that nearly everything ON your iPhone, be it mail, contacts, chats, messages, calls, any 'apps' that grant access to various online accounts, et al, generally speaking, saves your passwords for convenience so you don't have to type in huge strings everywhere on the funny little ethereal keyboard. So in reality, the security of everything on your iPhone (save for the AppStore, oddly enough...) relies on the security of your PIN, which again, is a non-issue to figure out if you are an astute observer.
I do like that feature, and it is certainly a necessity on the iPhone, where you don't even have physical feedback from the 'key' your pressing.
Also, regarding PINs and Blackberry-style inputs... The iPhone is the same. The last character you type is displayed, but masked as soon as the next is typed.
(2) I'm glad Apple changed the password entry method on the iPhone/iPod touch to display the last character in the clear until you enter another one. It was too easy on iPhone OS 1.0 to screw up entering a long, non-sensical WPA2 pass phrase if you couldn't remember or see anything of what you had already typed in.
I also think this depends a lot on the way you type. Since I touch type I wouldn't ever consider unmasking when entering a password, except perhaps when creating a new one. I get feedback much faster from my fingers than from the screen, and it's harder for anybody else to track. We then have people who do look but type very accurately (getting visual feedback as they hit the keys), those who mash the keys and make frequent mistakes, and those who individually hunt down and press each individual key. I would imagine the styles of feedback that would be useful would depend a lot on entry method.
I, for one, would like the option. I cannot type complicated WEP keys into Windows -- twice! what's the deal with that? -- without making mistakes. I cannot type my rarely used and very complicated PGP keys without making a mistake unless I turn off password masking. That's what I was reacting to when I said "I agree."
In some situations, there is a trust dynamic involved. Do you type your password while your boss is standing over your shoulder watching? How about your spouse or partner? Your parent or child? Your teacher or students? At ATMs, there's a social convention of standing away from someone using the machine, but that convention doesn't apply to computers. You might not trust the person standing next to you enough to let him see your password, but don't feel comfortable telling him to look away. Password masking solves that social awkwardness.
Two, you have to type it in ALL THE TIME, unless you don't mind anyone with at least one hand taking a look into the archives of all of your email accounts whenever they get their hands on it.