While this is true. In the general case, if your application is required to be secure, its not a choice.
Don't get me wrong, usability is very important, but if your application has to be secure(and not having someone look at your password over your shoulder is a requirement), then how can you choose usability over security?
not having someone look at your password over your shoulder is a requirement
What I say is that sometimes this is not a requirement even if the website offers a login feature.
I guess that for my online mail client I would prefer to have a masked password field.
Now for my account at an online rss reader I actually don't care that much because there is nothing to protect (at least in my opinion) and no value for someone to steal and remember my password. Maybe however I still want to be protected against someone on the web who happens to have the same name as I do and wants to steal my account... However the probability for this guy to be over my shoulder is quite low.
Maybe this is all a question of personal interest. Some users will prefer usability over security while others will prefer the opposite no matter the application. If this is the case then I would vote for having the option to toggle between one and the other...
Dont forget many people use the same password all over the place (silly I know - but it is something every site should assume and plan for!).
So in essence if you leave a password field open then your potentially exposing the "global" password of your user to anyone walking past. That seems an even bigger consideration than just exposing the pass to your site. Your taking away any security the user expects when typing a password in :)
I think being able to mask and unmask your password with a checkbox is certainly viable(as long as the masking is the default). The problem lies not with users like you who have different passwords for different applications, the problem lies with users who have the same password for all applications.
That being said, that is probably beyond the scope of what the author is trying to address but is still always something to consider.
Don't get me wrong, usability is very important, but if your application has to be secure(and not having someone look at your password over your shoulder is a requirement), then how can you choose usability over security?