*salted* hashes!
...and when requesting a password change it is so much better if you put all your conditions up front, eg
''please enter your new password. it must have
<condition1>, eg minimum length,
<condition2>, eg max[why?] length,
<condition3>, eg must-be-used characters,
<condition4>, eg disallowed characters[why?]
etc,
etc,''
rather than have the user find out by trial-and-error [and many ''invalid pwd''s] what the parameters of a valid pwd are.
...and when requesting a password change it is so much better if you put all your conditions up front, eg
''please enter your new password. it must have
<condition1>, eg minimum length,
<condition2>, eg max[why?] length,
<condition3>, eg must-be-used characters,
<condition4>, eg disallowed characters[why?]
etc,
etc,''
rather than have the user find out by trial-and-error [and many ''invalid pwd''s] what the parameters of a valid pwd are.