Just received a mail from my college that my college's student account password does not contain any special characters and I should change it immediately. Wtf? How did they know that?

The account was created an year ago.

Lol

You should ask them

@620hun they are too stubborn but I'll try

Let's hope they have made an algorithm which can tell if a hash has special chars ;)

How to deal with proud/smug idiots ignoring you:
1) inform them of the problem
2) give them some time to get back to you

If they dont:
3) find an exploit(there's probably plenty)
4) copy insecure sensitive info from their db (e.g. user credentials)
5) email them a copy along with "Are you going to listen now?"
6) revel in their panic
7) laugh
8) watch it get patched immediately
9) laugh again.

If they give you shit, inform their boss/CTO.

Cleartext passwords are completely intolerable.

First they store passwords in plain text. And then they mail you that they store the passwords in plain text.
Wow.
How much dumber can they go ?

Probably just a flag raised before the password is hashed to check for special characters? I'd do anything to avoid believing that someone would be stupid enough to store plaintext passwords

Regex, pattern checking we done that for server side validation, the systems could have been updated that runs through passwords on the dB, all passwords have to be stored somewhere.. Otherwise who's to say that everyone's password is mine when I want to log in

Are you sure it's legit and not phishing? Knowing higher Ed it could go either way

@damiano hashing algorithms. Passwords aren't stored anywhere, only their salted hashes are.

Apart from brute-forcing the hashes, there is no way to determine what the original passwords are.

@epiz I am not the only one who received the mail.

even if it was illegal if i go against the college , I'll be in big trouble.

@firefish it's easy to get or guess many student emails so I wouldn't be surprised if it was phishing and a whole bunch of students are getting caught. The only way to know would be to go to the site directly and either find corroborating messaging or contact someone who would know.