Small rant incomming. I just went to look at applying to Walmart, and when going to make an account their password requirements were 8-11 characters. What kinda nonsense is that? Some terribly made backend I’d assume. It’s bad enough I gotta make a million accounts when applying to jobs but then you got my PII sitting behind such terrible password requirements it makes me wonder where else they are cutting corners on security.
All stored passwords should be salted and hashed. That means each one uses the same amount of space, regardless of original length.
There should definitely be a minimum length but not a maximum (within limits; let’s not break web standards or the laws of thermodynamics).
you mentioned salting and hashing that reminds me of places that use to put companies on blast for storing passwords in plaintext.