If the UX issue is "I don't know whether the keystroke registered", isn't there a way to fix it without revealing the length? e.g. I've seen some password inputs that display multiple dots per keystroke.
Though I guess the broader context is if the attacker has "shoulder-level access" you probably have bigger things to worry about ;)
If the length of your password reveals enough information about the password to practically aid in discovery, your password sucks and you need to choose a new one.
We could flash the prompt character so user knows the keypress was received. Someone could still count the number of flashes but the number of characters wouldn't be revealed persistently. I think no feedback at all is usually best though.
Though I guess the broader context is if the attacker has "shoulder-level access" you probably have bigger things to worry about ;)