Wrong how? And hashing and encryption are two different things that shouldn't be confused.
Yes hashing does mean that it will end up a fixed length, but before you get the hash you have:
The users browser/app
Any Web Application Firewalls between you and the user
The server application receiving the password
The frameworks you are using
The hashing algorithm
You should be testing that all of them support the longest password you allow, which without max limit set is infinite and impossible to test.
Password Strength Meters - I think these should be indicative, rather than absolute. A minimum length password of all lowercase letters should be marked as insecure. Something more complex is better. Long and randomly generated is best. Disallowing previously breached and common passwords is more important than the password strength meter, but using them both together is a good way to give users visual, understandable feedback.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Wrong how? And hashing and encryption are two different things that shouldn't be confused.
Yes hashing does mean that it will end up a fixed length, but before you get the hash you have:
You should be testing that all of them support the longest password you allow, which without max limit set is infinite and impossible to test.
Password Strength Meters - I think these should be indicative, rather than absolute. A minimum length password of all lowercase letters should be marked as insecure. Something more complex is better. Long and randomly generated is best. Disallowing previously breached and common passwords is more important than the password strength meter, but using them both together is a good way to give users visual, understandable feedback.