[wartywhoa23]

Well, if leaking the length of the password is such a big deal, why not just use a reasonably long password?

Moreover, if someone can see the number of asterisks on the screen, what prevents them from seeing the actual keys that are being pressed?

[tankenmate]

Again looking back at the history of Unix, it used a 56 bit variant of DES encryption that used the user's password as the key. So only the first 8 characters of the password were used and the rest was silently unused, for example "password" and "password123" would have been the same password on early Unix. And although most BSDs and Linuxes moved in the mid 90s to PAM (and hence md5, etc) most SVR4s didn't move until late in the 90s. And at the other end, DES crypt() made its way into Unix in some v6s (~1977) and became widely available in the release of v7 Unix. So 8 character passwords were a thing for about 20 years.

[LtWorf]

My lab at university was like this, well into the 2000s. I remember a guy just smashing keys on his keyboard and then the login worked and I was amazed at how complex his password was and how he could manage to type it that fast

[drooopy]

I liked how the IBM Lotus suite hid password input behind a randomly-generated number of asterisks per key press.

[LorenDB]

Or listening to the number of keystrokes (although you can add random characters and then backspace to help mitigate this).

[oldestofsports]

Video cameras are a thing too