One of my colleagues was better at verbalizing a reason why not to stop masking: Even though it may make users feel less secure about the correctness of the password, it is just as likely that a feeling of security is introduced by the fact that passwords are masked. I think both statements should actually be verified. Both Nielsen and I are posing assumptions here.
Devices that have coped with the issue of making errors while typing passwords, are mobile phones. Using the web browser on an old Nokia to enter text in a password field - shows you an un-masked character for the last character you entered. This is a pure necessity: using a numpad to enter text (press "2" twice to get a "b") is painful by itself, let alone if you cant see what you type.
But this feature also made its way to smartphones. Android is using a similar approach; it displays only the last character, and masks it after a short period of time. Problably, because making errors on a small touch screen is also more common compared to a regular full-size keyboard.
But if we can do it on phones, then why not on normal computers? Here is a proof of concept using javascript to simulate the behavior. The "actual password" field would be hidden of course.
I actually think that this example should not be implemented on websites; it's really up to the browser manufacturers to fix the issue. We have the "password" type field, and it doesn't make sense to introduce new bugs and complexity to website this way, creating hundreds of new variants of password fields out on the open.
--Thank you, Douwe, for pointing out that a better solution to the problem with many passwords would be to start introducing OpenID and OAuth on more services. So if you want to do something for your users on your end, start with OpenID!
