May 2015

How to spot a site that stores plaintext passwords

Here's a screenshot of the password requirements for a site. The's one really suspect thing about it that strongly suggests that the passwords are stored in plain text in their database instead of being hashed/encrypted - there's a limit to the password length. The instructions say the password must be no more than 14 characters long, were it stored properly it would be able to accept a much longer password. While I applaud them in being able to accept non-alphanumeric aka "special" characters, needlessly limiting its length is a step backwards.