Traditionally, HTML password fields are masked to help prevent shoulder surfing. With that in mind, I don't know who at @GOVUK thought that this was the right choice, even before we get onto the fact the password it's written out in the clear meets the stated criteria https://twitter.com/bentasker/status/1495717477208236040/photo/1