osterman
commented
4 years ago I can see your point. In some ways it's perhaps more secure the conceal the length in addition to the characters. What I don't like about it is it conceals also bad values (e.g. empty strings or exceptionally short passwords).
I don't have a super strong opinion on this. If others would like it to work this way, wouldn't oppose a PR for it (ideally making it optional?).
Why is the length of a secret included in the output? It would be better to mask with a set length list of repeated characters.