If the password is submitted online then use HTML's built-in password field. When submitting to an Apache webserver then use CGI.pm's password_field function, which writes the tags for you. The CGI.pm documentation gives the following example written in the named parameter style:

print $query->password_field(-name=>'secret',
                             -value=>'starting value',
                             -size=>50,
                             -maxlength=>80);
[download]