Is there a way to hide what’s being typed, much in the way a password input does?
The cleanest way is probably to use the -webkit-text-security style, either directly on .cm-line or via a mark decoration.
Unfortunately it’s not standard.
Also, it seems that selecting and copying the (obfuscated) password allows to paste it in clear form.