How is it not true? If a site is saying for example, "password must be less than 20 characters" -- that is purely a limitation based on the size of the database field, which you can only assume it's being adding to that field as plain text. A hash will always be the same length and password length would not matter.
unixfreak
joined 1 year ago
If a password input form asks any of these questions, consider the website or service compromised right from the beginning. The reason for this, is that it means they are not storing salted/hashed passwords and your password will be stored as plain text on their servers. There's no reason for any limitations on a password. In the event of a breach, your password will be visible in any database dumped by a hack. Always makes me wince when a password form complains about password length, as it really should not matter. When you hash a password, it will be stored in the database at a specific string length;
Eg; using sha-1 hashing:
pass123 = 5f1e04b7fc8d7067346b77bdbb6a4d4f9f4abace28f15c2b265c710b120393b2
password321 = 8852ab05d5b32f9efd3dcbf69edcfd65464e64c8e5e8310239871e02380e81b3
Hedgefund investors need to pay for their caviar and cocaine somehow 😶
Of course, requiring at least one symbol or upper case letter etc is a good idea, along with a minimum length. Many websites won't let you use a password longer than a certain amount of characters. The only reason for that limitation is that they are storing the database field as plaintext, and anything longer will not fit into that column.