Why people are still restricting password complexity. As long as passwords are carefully & cryptographically processed (read hashed with individual salt). I recently designed a system where the only password policy is the length (8 char minimum) and they are stored hashed with salt being a specially encoded user id (thus unique for each user).
I also like to contradict myself. Password complexity and and all the policy are needed to make the social engineering not feasible. I mean a strong and secure system and with that people are using 'password1234' is a very bad practice.
I consider passwords as random blobs of bytes. Everyone says that hashing is important but I don't see any real benefit of it. If I hash random 128 bits result is random 128 bits.
It's important because if somebody gets your database, if you haven't hashed, they have everybody's passwords, and those passwords are often reused many times at many sites. Hashing at least puts a step between stealing your table and knowing everybody's passwords (a mathematically hard step for good passwords).
Also, please let me know what sites you manage so I know where my data is not valued.
