The pervasive use of mobile devices exposes users to an elevated risk of shoulder-surfing attacks. Despite the prior work on shoulder-surfing resistance of mobile user authentication methods, there is a lack of empirical studies on textual password authentication methods, particularly the hybrid passwords that integrate textual passwords with biometrics. To fill the literature gap, this research compares two hybrid password methods, touch-gesture- and keystroke-based passwords, with respect to their shoulder-surfing resistance performance. We select a touch-gesture-based password method that deploys multiple shoulder-surfing resistance strategies and a keystroke-based password method that leverages keystroke dynamics. To gain a holistic understanding of these password methods, we examine them under a variety of shoulder-surfing settings by varying interaction mode, observation angle, entry error, and observation effort. Going beyond effectiveness metrics, we also introduce efficiency metrics to assess shoulder-surfing resistance performance more comprehensively. We hypothesize and test the effects of shoulder-surfing settings by conducting both a longitudinal lab experiment and an online experiment with diversified participants. The results of both studies demonstrate the superior performance of the touch-gesture-based password method to the keystroke-based counterpart. The results also provide evidence for the effects of interaction mode, observation angle, and observation effort on shoulder-surfing resistance of hybrid passwords. Our findings offer suggestions for the design and strategies for strengthening the security of password authentication methods.