Comment 84 for bug 194472

Phillip:

This is not the 'Server Security' team, but the Ubuntu Security team. As mentioned earlier in this thread, no other applications in the default server install provide password feedback (eg, console login and ssh). Therefore, a shoulder surfer cannot obtain the password length via those applications. If we add password feedback to sudo on the server, then sudo provides an avenue for enumerating the password length where one did not exist before. This is undesirable.

"Ubuntu is anyway not the safest server environment with much features enabled by default."
Please file a separate bug with specifics on what you consider to not be safe in a default server install.