This is purely a coding issue on AT&Ts website.
First of all, their password input field is coded as a text field instead of a password field. So everything you type in goes in as plain viewable text.
<input id="password" class="inputClass" type="text" tabindex="2" title="Password" size="30" value="" onkeypress="validateCapsLock(event);" onblur="PasswordBoxFocusOutImgChange();" onfocus="PasswordBoxFocusImgChange()" autocomplete="off" real="password">As far as I can tell, the original password field does exist. However, it is no longer assigned the id of password and it's style display is set to none to hide it.
<input class="inputClass" type="Password" tabindex="2" title="Password" name="password" size="30" value="" onkeypress="validateCapsLock(event);" onblur="PasswordBoxFocusOutImgChange();" onfocus="PasswordBoxFocusImgChange()" style="display: none;">
Because of this ridiculously insecure method, they are also using javascript to store your password as you type it in a "real" value on the input field so it can "replace" your password with the circles as you type.
I don't know why anyone would think this is a great idea -- I don't care if you're using a tablet PC or not -- this is not a mobile device, this is not a website to be displayed on mobile devices, this is a full desktop page. This means an increased security risk. Now, all it takes is someone glancing at my screen to get my password as I type it.