All data is stored and handled on the server, nothing's on the device.

The user interface of our devices is challenging enough without obscuring the text the user is typing.  The user is entering this text in their home, at one time at service setup.  Let's not make it any harder for the users than it needs to be in the name of unnecessary security.

I understand.  It's just a bit jarring seeing my password in plaintext (especially at the confirmation step.)  

Also, to clarify Michael's statement on 2010-02-03
"All data is stored and handled on the server, nothing's on the device." 
Usernames and Password should not be stored on the server (or anywhere), only the session_key returned from auth.login()  Please confirm that this is the case.

Aryeh: we store the following info for a user's Facebook account, so yes we don't store the email or password.

session_key
uid
name
profile pic URL

Andy, perfect.  Thanks for the quick reply.  One last policy question:  for Name and profile pic, you must refresh this cache according to the policy here:
http://wiki.developers.facebook.com/index.php/Storable_Data

"Offline exception: Applications that run on a device controlled by and possessed by the user -- such as desktop or laptop computer, mobile device, or other embedded device -- can cache user data received from Facebook for more than 24 hours only when Internet connectivity is unavailable or it is impossible for the application to run. Such data can be stored on the client device but not a remote server, and cannot be made available to the developer. Cached data older than 24 hours can be displayed to the user (or otherwise used by the application) in lieu of updated data only until an update is possible, and in no case beyond 14 days after the last update."

Right, it does get refreshed.