Oracle presents a fairly restrictive password policy:
Passwords can be from 1 to 30 characters.
The first character in an Oracle password must be a letter.
Only letters, numbers, and the symbols “#”, “_” and “$” are acceptable
in a password.
These kind of restrictions pass through to web applications sometimes – either because the system is Oracle backed, or a web developer has copied the rules. For example, the Virgin Media login:
.
With best practices dictating salting + hashing, hence no restriction on length or characters, why does Oracle do this? Are there technical reasons, or is it simply a legacy choice?