Optional
Yawn. So what if they knew my password is 16 characters long? It will still be computationally infeasible to find it through a brute force search. As long as you use a password twelve or more characters long, has symbols, numbers, and capital letters, and must not have dictionary words, then it will be very difficult to attack. And if you use a good pseudorandom password generator then you're good to go.
One simple way to counter this ground-breaking attack is to use clientside scripting to hash the username and password on the browser before transmitting it. Then all credentials will have the same length. Problem solved.