From a naive user’s perspective this request might appear reasonable but from a developer’s view this should raise concerns. If it’s that easy to undermine security, I don’t know what to think or say. Just imagine this request was a perfect example of social engineering. If that was actually the case, I’d applaud the hacker instead of being angry.
Some of the worst security issues in recent years have been caused by well-intended modifications like heartbleed or Debian’s OpenSSL debacle. However, at least these weren’t intentionally compromising security. Showing before invisible passwords clearly is.