Of all the security concerns to have, this seems like just about the most trivial. Nevermind the terrible passwords most people use to begin with, if someone is using a sufficiently long password, brute forcing is going to take a stupidly long time.
Nevermind that it’s pretty hard to accurately count the number of asterisks over someone’s shoulder if it’s a decent password; and if it’s four asterisks - well, brute forcing isn’t going to take long anyway, is it? I don’t think knowing the length of a password is really that important.
Perhaps if you’re a spy or in the military; but really, you should have other security concerns in addition to password length, and someone like that isn’t going to employ this tip.
I mean, seriously. The more I think of who might want to see asterisks when they type, the more I think anyone who would actually benefit from worrying about would never employ this trick in the first place.
My password for my desktop computer is eight characters. The password I use for a few services such as several email accounts and a couple of tools I use is nine characters in length. The password to my password keeper service is 16 characters long. Beyond that, I use a self-written generator that generates passwords of 24 or 32 characters in length, and use my password manager for storage.
If you in any way think that knowing that helps you hack into me, well, I suppose it might assist you in some extremely trivial way. But nobody’s going to hack me with that knowledge. I’m not saying I’m unhackable; just that that information would not be a part of what allows someone to hack any of the things I use. It’d take an exploit - technical or social - to do that.