Except for the form submission limits you are simply wrong. Hashing passwords regardless their length can result in a fixed length hash. Therefore it does not matter the length of the password, as long as once encrypted it matches the database entry.
The password strength algorithms are stupid as most of them does not enable you to create a password that is a sentence, example "riding a horse tonight" which is a very strong password, can mean something to the user, easy to remember and very hard to crack.
Wrong how? And hashing and encryption are two different things that shouldn't be confused.
Yes hashing does mean that it will end up a fixed length, but before you get the hash you have:
The users browser/app
Any Web Application Firewalls between you and the user
The server application receiving the password
The frameworks you are using
The hashing algorithm
You should be testing that all of them support the longest password you allow, which without max limit set is infinite and impossible to test.
Password Strength Meters - I think these should be indicative, rather than absolute. A minimum length password of all lowercase letters should be marked as insecure. Something more complex is better. Long and randomly generated is best. Disallowing previously breached and common passwords is more important than the password strength meter, but using them both together is a good way to give users visual, understandable feedback.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Except for the form submission limits you are simply wrong. Hashing passwords regardless their length can result in a fixed length hash. Therefore it does not matter the length of the password, as long as once encrypted it matches the database entry.
The password strength algorithms are stupid as most of them does not enable you to create a password that is a sentence, example "riding a horse tonight" which is a very strong password, can mean something to the user, easy to remember and very hard to crack.
Wrong how? And hashing and encryption are two different things that shouldn't be confused.
Yes hashing does mean that it will end up a fixed length, but before you get the hash you have:
You should be testing that all of them support the longest password you allow, which without max limit set is infinite and impossible to test.
Password Strength Meters - I think these should be indicative, rather than absolute. A minimum length password of all lowercase letters should be marked as insecure. Something more complex is better. Long and randomly generated is best. Disallowing previously breached and common passwords is more important than the password strength meter, but using them both together is a good way to give users visual, understandable feedback.