I think in OpenSSH this was mostly fixed with ObscureKeystrokeTiming which is enabled by default:

> Specifies whether ssh(1) should try to obscure inter-keystroke timings from passive observers of network traffic. If enabled, then for interactive sessions, ssh(1) will send keystrokes at fixed intervals of a few tens of milliseconds and will send fake keystroke packets for some time after typing ceases. The argument to this keyword must be yes, no or an interval specifier of the form interval:milliseconds (e.g. interval:80 for 80 milliseconds). The default is to obscure keystrokes using a 20ms packet interval. Note that smaller intervals will result in higher fake keystroke packet rates.

Although that's on the client-side, if the server responds with a "*" symbol for each keystroke it might be possible to reconstruct password length from network traffic.