The solution to this is platform-specific, unfortunately.
On Linux or BSD, you can use the readpassphrase function (there is also getpass, though it suffers from not allowing the buffer and buffer size to be provided by the caller. The documentation for the GNU Lib C (link broken? try this alternative instead) library also provides an excellent guide on how to implement this yourself in terms of the lower level termios primitives, which you can use on other UNIX implementations in lieue of getpass).
On Windows, you can use SetConsoleMode to disable the default echoing behavior (and thus echo your own characters such as the asterisk). You could then use SetConsoleMode to restore the echoing.
I should add, however, that this is a very poor form of authentication as it involves yet more passwords which are the bane of every user's existence (and not particularly secure, either). A better approach is to start a webserver in your application and output the URL on which the user should authenticate. The advantage to this approach is that, when the user navigates to this URL, that URL can then support delegated login to third party identity providers such as Google, Facebook, Twitter, etc. Even if you don't support third party identity providers, this approach comes with other benefits; if you have other web-based tools, this approach reduces the number of times that the user must authenticate (since the commandline tool and web based tools will share the same browser session) and allows you to implement the login flow only once, this approach also mitigates phishing risks (users can plainly see the host in the browser when they enter their credentials compared to entering credentials on the commandline where it is much easier to spoof a prompt, and if you only redirect to localhost at the last step but do the majority of the logic on a remote host this approach also allows updates to the authorization flow to be deployed independently of the client commandline application which has important security benefits. That being said, a web based login such as this is not always the right approach. It is also worth looking into alternative authentication mechanisms such as libpam (under libpam, you would use the function pam_authenticate to authenticate the user rather than taking the password as input directly). It's worth investing some research to determine the best mechanism for your particular use case.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…