> How is exposing length of a password a vulnerability?
You're arguing exactly the point.. knowing the length of a password is helpful in cracking it. We all agree short is bad. Depending on your threat model, you (hopefully) don't use passwords as the only verification very many places - perhaps to unlock stronger secrets (ssh keys, an account without local login that can only connect with a certificate). You'd still rather a shoulder surfer doesn't know how many characters you pressed.
Any password of a length that could feasibly be cracked by way of brute force (So up to perhaps 8?) would only save 1/N of the total time taken to crack it with N being the length if one were to know the exact length.
So yes, sure, technically there is an effect, but it's such a small effect, and only for people that should change their damn passwords already, that it's worth making the change for the improved UX.
> How is exposing length of a password a vulnerability?
You're arguing exactly the point.. knowing the length of a password is helpful in cracking it. We all agree short is bad. Depending on your threat model, you (hopefully) don't use passwords as the only verification very many places - perhaps to unlock stronger secrets (ssh keys, an account without local login that can only connect with a certificate). You'd still rather a shoulder surfer doesn't know how many characters you pressed.