[manojit]

Why people are still restricting password complexity. As long as passwords are carefully & cryptographically processed (read hashed with individual salt). I recently designed a system where the only password policy is the length (8 char minimum) and they are stored hashed with salt being a specially encoded user id (thus unique for each user).

I also like to contradict myself. Password complexity and and all the policy are needed to make the social engineering not feasible. I mean a strong and secure system and with that people are using 'password1234' is a very bad practice.

[Sami_Lehtinen]

I consider passwords as random blobs of bytes. Everyone says that hashing is important but I don't see any real benefit of it. If I hash random 128 bits result is random 128 bits.

[SoftwareMaven]

It's important because if somebody gets your database, if you haven't hashed, they have everybody's passwords, and those passwords are often reused many times at many sites. Hashing at least puts a step between stealing your table and knowing everybody's passwords (a mathematically hard step for good passwords).

Also, please let me know what sites you manage so I know where my data is not valued.