>You shouldn't really be storing the password itself (or even the encrypted password), but rather a hash of the password. And ideally another field for the salt. So if you used something like SHA1 you'd need a field that could store 160 bits (SHA1 is fixed size, regardless of the input string). I'd probably use something like a GUID for the salt (each user records gets its own unique salt), then store HASH(Salt + Password) in the database. Now the user can enter any length password they like and your code will still work.
>
>As far as password policies go, I usually just use whatever password KeePass automatically generates; it appears it's a 20 character string with upper/lower case, numbers, and special characters. Or if it's a password I really need to remember I tend to use pass phrases with odd case changes and/or alt. characters.
Thanks