I'd wager shoulder surfing was never that likely, but it is much less likely today and much harder. However, high def recording is much more prevalent these days. The one thing I like that some password forms have started doing is obscure the username. Usually the first time you enter it, its plausible to grab, but subsequent entries, only grabbing the password, if it is at all feasible, isn't as useful without the username.
I'm sincerely glad I haven't seen login forms that obscure the user ID. Blind user ID entry, followed by 10+ characy,high entropy password, also blind, on a tiny keyboard with no tactile feedback. Don't know about you, but my fingertip can cover 2 phone keyboard virtual keys, and touch corners of 3 or 4 at once.
Logging in is already excruciating. That would make logins secure by making them impossible.
