Think of it this way: there’s a button to show your actual password in the majority of applications nowadays.
`sudo` and `login` are I think the only two tools I use that don’t provide any feedback.
Otherwise my entire life is behind a password database that lets me see my password in plaintext and otherwise shows the length of it as it’s typed. KeepassXC.
If knowing how the length of your password makes it easy to crack you probably have other problems
It saves 1/Nth of the total time taken to brute force an N character password compared to starting from length 1. So any password where this is a significant fraction is so short that the time saved isn't really relevant.
So yes, "easier", technically. But not in any meaningful way.
No, not really. If you have people watching you so closely, there’s a good chance they can watch your fingers on the keyboard, too. Maybe you’re sharing your screen for a presentation, this might be slightly ill advised, but then, you should run such things in a VM or container and use silly demo passwords.
It really isn’t. The threat model is someone who can watch you type a sudo command, and has physical access to your computer to try to brute force combinations, or a way to access a backup of your hard drive or passwords file.
Knowing the length narrows down the search space some, but a meaningfully long password basically makes that knowledge useless, and again, it’s only useful if the approach they take is to try to physically possess your computer or obtain an encrypted backup.
A far more likely effort is going to be a spear fishing email, especially since if they have physical access to you they probably know a lot about you, and what services to spoof to get you to give them passwords, and so on.
Correct, it is not a meaningful reduction of security. In terms of information theory, the search-space reduction will not take make a strong password tractable. And that's leaving aside that you could already get that information via sound, or visually by looking at the keyboard. And GUIs already gave the length of the password, it was only some text-based applications that gave zero password feedback.
Conversely, making people more comfortable with security measures may well improve security; for instance, some people will have an easier time typing in longer and more complex passwords thanks to password feedback.
If your password is long enough it doesn’t matter if they know it is say 16 characters and if it isn’t long enough it also doesn’t matter because they can just brute force all the potential lengths up to it. So yes it is just security theater.
That's an argument for telling people the strength of their password, and warning them when setting a weak password. It's not an argument for decreasing usability in a fashion that will make people less comfortable typing long, complex passwords.
