You got some sources or did you just make that up?

Because to hell with UX when it comes to security. Knowing the exact length of a password absolutely makes it significantly less secure, and knowing the timing of the keystrokes doubly so.

> easier to turn echo on and off than to echo asterisks.

One implies the other. You turn echo off. Then you write asterisks.

> Not for security.

Consider the case of copy and pasting parts of your terminal to build instructions or to share something like a bug report. Or screen sharing in general. You are then leaking the length of your password. This isn't necessarily disastrous for most use cases but it is a negative security attribute.