I guess I am a bit confused. As a feeble student of the magician's art of misdirection, you'd want at least two cracks at a "mark's" password and def looking at hands on the keyboard rather than the screen. So since very little software I've seen actually displays the password as you type it, depending how fast they are, you're guessing if the approx letters they are typing coalesce into a word, or if they are of the "d6keLr#" variety.
Of all the weird security concerns out there, shoulder surfing for passwords hasn't been one of mine. Either I get my back to a wall in a net cafe, or else suspecting co-workers leads down spirals of paranoia.
I hear ya man, it's not one of my top ten either ... But it does come in oh so very handy every now and then..
You're on site to do a job for a client that centers around a anal-retentive user that doesn't wish to share their password with you (even though you're there to resolve their issue). It truly is astonishing how many people will happily give you complete unsupervised access to their machine (And. Its. Data...) for service...but will then staunchly refuse to share the password - including a temporary one... - for "security reasons".
The resolution requires frequently rebooting the computer as various configurations are tested...and the user keeps wandering off, so you end up wasting most of the diagnostic time tracking their silly ass down to get logged back into the machine.
They of course quickly get pissy about the game because you are rudely interrupting their screw off time with your constant nonsensical need to get the friggin job done.
Play time is now over.
First pass objective is first character, key count, and last character.
Second pass objective is second character, and another crack at last character (if missed on previous step).
At all points the sum total of hand movements and locations are taken into consideration for the purpose of ascertaining what if any numbers, special characters, and capitols are used (helps with word guessing too). Close attention is to be paid to the shift keys, and for a quick make'em type it twice bonus caps lock can be pressed before they get to the keyboard.
Carefully worded casual conversation about key items (like pictures) on their desk can also help yield clues to what the target password might be.