One question: what about Data::Dumper and friends? Sure what you've done is interesting, but if a password is part of a structure or object which gets dumped, you're no further ahead. I'd suggest storing the value as sub { $value }. At least it won't be so obvious then. Otherwise, I like it.

Oh yes. Also I don't think that the default obfusticator ought to use the length of the value in the masked string as that leaks information, i.e. the length of the value.

And I prefer Text::Masked