I've been tempted a few times to simply use salt and a single iteration SHA-256 to store passwords, and put something like this on the account creation and password change screens:
> If you care about the security of your account use a 20+ character random password and do not reuse that password at any other sites. There are several excellent password managers that can generate and remember such a password for you and make it easy to use. Here's a list: <link to list of password managers>.
> We allow all normal US printable characters in your password: upper and lower case A-Z, digits, and <list of punctuation>. Set your password generator to length 20+ and to use mixed case, digits, and symbols and you will be fine.
> If you think you might have to manually type this password at some point, you can use a reduced character set with a longer password. If you use just mixed case letters and digits make the password 22+ characters long. If you use just mixed case letters make it 23+ characters. Letters all of the same case? Make it 28+ characters. 32+ characters of hex is fine, too. Heck, you can make it all digits if you use at least 39 of them.
> If your password manager offers other options, such as patterns like groups of digits or pronounceable syllables separated by some symbol, that too is fine as long as you make it long enough. Make it long enough that your password manager gives it its highest strength rating.
> The exact upper limit on password length that our password entry fields allow might vary from time to time as we update the site, but will always be at least 64 characters.
> If you care about the security of your account use a 20+ character random password and do not reuse that password at any other sites. There are several excellent password managers that can generate and remember such a password for you and make it easy to use. Here's a list: <link to list of password managers>.
> We allow all normal US printable characters in your password: upper and lower case A-Z, digits, and <list of punctuation>. Set your password generator to length 20+ and to use mixed case, digits, and symbols and you will be fine.
> If you think you might have to manually type this password at some point, you can use a reduced character set with a longer password. If you use just mixed case letters and digits make the password 22+ characters long. If you use just mixed case letters make it 23+ characters. Letters all of the same case? Make it 28+ characters. 32+ characters of hex is fine, too. Heck, you can make it all digits if you use at least 39 of them.
> If your password manager offers other options, such as patterns like groups of digits or pronounceable syllables separated by some symbol, that too is fine as long as you make it long enough. Make it long enough that your password manager gives it its highest strength rating.
> The exact upper limit on password length that our password entry fields allow might vary from time to time as we update the site, but will always be at least 64 characters.