We ask for very little information from users, and asking for an email to reset the pass felt like too much.* Thanks for bringing this up as we are probably going to change this and make it more secure.
Password masking, along with asking for a password confirmation, is what everyone expects. Any affected attempt at 'simplifying' that UI without a total transformation (like no accounts at all, not shit like openid) leads directly to anger and disillusionment when their plaintext password is staring them in the face.
Use <input type=password>. Use two of them when registering, and one when logging in. It's a basic affordance, don't fuck with it.
I've been favoriting tracks but it's not clear that it has any effect on what gets played. You're saving the tracks I fave, but then I can't do anything with them except delete them — which should absolutely not use the same heart icon you use for creation. I clicked it thinking it would play that track again, and POOF.
Three fields should be ok - username, pass, confirm pass. Better that than visible passwords. If users want to add their email and other info later, have an Account page for that.
*when you can see your pass it's harder to forget