As per title. The password field should be auto-hidden after a configurable period of time to avoid shoulder surfers.
What password field? It’s hidden by default…
Yes of course, but once you click the eyeball to show it the password stays visible for a loong time (forever?).
Such as when you unlock your screen; there it is, the last password you looked at, right there in front of you plainly visible. This would be a similar security measure to auto-clearing the clipboard, with a similar level of impact.
@matt-matt2 then I would suggest making that button a “click and hold” one. Then when you want to see the password you can hold it and when released it will be masked again. Or another suggestion as you have mentioned, is to implement a visibility timeout.
I suspect that a visibility timeout is better from a usability pov than a click-and-hold. This is what many other password vaults implement, for example.