[setzer22]

> my old password was no longer permitted.

But how did they know? They should just have the hash...

[eicnix]

If they implemented it properly they could have checked the current password against the revised guidelines on the next login. No need to store it in plain text

[uberswe]

The website can check the password during login without storing it in plaintext

[systemfreund]

The login form usually sends the password in cleartext and it's then hashed on the server-side prior to comparing it to the hash stored in the database.

So they can just determine the password's strength at the time when the user is logging in