Balancing convenience against security, and how you can tune the knobs toward more security.
Describes considerations of convenience and security of auto-confirmation while entering a numeric PIN - which leads to information disclosure considerations.
An attacker can use this behavior to discover the length of the PIN: Try to sign in once with some initial guess like “all ones” and see how many ones can be entered before the system starts validating the PIN.
Knowing the length of a random pin/password is roughly as valuable as knowing one of the characters, if it's a concern just make it two longer and you have just improved security.
I don't know how that applies to non-random pins/password.