What’s stored is hash(password). Then the password check is stored == hash(entered).

Hash(x) will be the same length, regardless of what x is. What that length is depends on which hash function it is. So the database can set the length of its storage for each user’s password to the length of the hash and the hash function will take any size password.

Until they remove checking that reg key from all versions other than maybe enterprise. If they decide that running windows requires an MS online account, they can keep bumping up the difficulty of running it without whenever they want.

Which suggests to me that MS stores plaintext passwords. Because a hash function doesn’t care about the length of what it’s hashing, the output will always be the same length, so they could verify a 300 character password with the same storage space as a 3 character password.

Even with civilisation or society, there’s always been a subset of people looking to exploit whatever facet of existence they can, whether it be religion, politics, crimes of opportunity, weaknesses in social systems, or even the justice systems that are supposedly meant to deal with those flaws.

And to add even more complexity, other people who aren’t pieces of shit looking to exploit others form emotional attachments to those who are and are fooled by their lies and will defend them. Others don’t have attachments but see parallels to themselves and worry that attempts to deal with the problematic ones will result in the same treatment being applied to them (and aren’t necessarily wrong because even justice trying to act in good faith can get it wrong).

It’s all a complex web of power struggles and religion is just one set of stands.