If a password input form asks any of these questions, consider the website or service compromised right from the beginning. The reason for this, is that it means they are not storing salted/hashed passwords and your password will be stored as plain text on their servers. There’s no reason for any limitations on a password. In the event of a breach, your password will be visible in any database dumped by a hack. Always makes me wince when a password form complains about password length, as it really should not matter. When you hash a password, it will be stored in the database at a specific string length;
All of those things can be verified before storing the password in any way, encrypted or not, and checking them would be a requisite before storing it.
While it’s true that they don’t have a significant impact on the hash generated, they make it significantly more difficult for anyone to guess your password. It’s much easier to guess password321 than something like Or^9L%u&QQ12XxI@. And that has nothing to do with how the password is ultimately stored.
If a password input form asks any of these questions, consider the website or service compromised right from the beginning. The reason for this, is that it means they are not storing salted/hashed passwords and your password will be stored as plain text on their servers. There’s no reason for any limitations on a password. In the event of a breach, your password will be visible in any database dumped by a hack. Always makes me wince when a password form complains about password length, as it really should not matter. When you hash a password, it will be stored in the database at a specific string length;
Eg; using sha-1 hashing:
pass123 = 5f1e04b7fc8d7067346b77bdbb6a4d4f9f4abace28f15c2b265c710b120393b2 password321 = 8852ab05d5b32f9efd3dcbf69edcfd65464e64c8e5e8310239871e02380e81b3That’s just not true, all of these things can be achieved without saving the password as plain text
All of those things can be verified before storing the password in any way, encrypted or not, and checking them would be a requisite before storing it.
While it’s true that they don’t have a significant impact on the hash generated, they make it significantly more difficult for anyone to guess your password. It’s much easier to guess
password321than something likeOr^9L%u&QQ12XxI@. And that has nothing to do with how the password is ultimately stored.Any site worth its salt (heh) will verify criteria on client for UI reasons, not just in the backend