We rarely talk about it these days, but shoulder surfing is a pretty old (but reliable) attack. This is why most password prompts are masked. Many modern mobiles (and tablets) however will highlight keys pressed on the keyboard making old style shoulder surfing attacks trivial (and reasonably automatable) again.
In an effort to (help) bring back the 90's we decided to do some fiddling and built a quick app(on top of the awesome OpenCV framework) to automate shoulder surfing against iPads.
(You can read more about it [here], download a short pdf on it [here] or just watch the youtube video below (but we think the pdf is more fun!))
One of the previewers asked: "Are you deliberately moving your fingers out of the way?"
We decided to answer by quickly typing A-E with normal cadence and normal movement.
All in all.. a fun time was had by all :>