When I wrote the login program for my VSTa microkernel, I took a page from the CDC side of the world--it echoes a _random_ (but small, non-zero) number of *'s. So you get feedback, but indeed peering over your shoulder will not disclose password length.

And yes, it remember how many it echoes so backspace works correctly.