An interesting paper to be published shortly by three clever people at UC Berkeley reports that without training (other than a 10-minute recording of someone typing) a recognition algortithm can be built to derive what is being typed, including passwords. There are many caveats here, including the requirement that the typist is typing in one language (they used English) and that the recognition rate is far from 100%. But nevertheless it provikes thought.
So what does this tell us? First off, relying solely on passwords is a bad idea -- even if this attack wasn't possible, there are just so many others. Two-factor authentication is not foolproof but it does greatly reduce the risk.
Second, this reiterates the old saw about physical access. If I can get close to your PC then I have a reasonable chance of obtaining your user ID and password.
Type quietly, everyone!