I can't be bothered to scroll back to see who it was that said that Scheier's credibility has now gone because he made a mistake and admitted to it. Anyone with half a brain knows that admitting you're wrong is a step forward and admitted you're wrong in public takes a fair amount of courage.
One has to ask though, why is shoulder surfing not considered a risk? Well, take the bank account. Do you deal with your bank account in a public place where everyone can not only see your password as you type it but read the details of your finances? I don't think so, so shoulder surfing isn't like to be a problem there. What about typing this comment? Well, I don't want people claiming to be me (even anonymously) so I'm not likely to type with an audience. And my various I-don't-care accounts? Well, chances are the potential shoulder surfer knows the password anyway. There, damn, I've just given it away again.
So if someone standing behind you is a problem, how much of a problem. If they're close enough to read the screen what else can they see? Well, actually, password masking doesn't help at all if you can see the keyboard and watch my fingers. Hell, with a phone you can film the keyboard and read the password in slow motion as it's played back. Password masking doesn't really add any security there either.
I know, I know, there are problems with that line of reasoning. But if one starts from the premise that passwords are visible does that make security better or worse? Don't jump and say "worse". Think about the implications -- what design changes does it mandate that make it better?
In the old, old days, when you used to log into a CRT and there was a 30s delay between hitting the return key and getting a shell prompt you'd be dead embarrassed if your password was there for all to see. That became the de-facto password masking standard until, basically, web forms where you needed some feedback to make sure that keyboard focus was where you thought it was. Now the problem with iPhones, Blackberries, whatever, is that lack of typing precision is an issue and, especially if your password is reasonably complex, getting it right without feedback is difficult.
So think; don't jump to emotive conclusions.