> Firstly no one put upper limits on the number of charachters, just lower ones
Yeah actually they do. Several sites I use, that really should know better, absolutely do put upper limits. Which is really stupid.
> Secondly length trumps complexitly significantly:
Length is one aspect of complexity, so that statement makes little sense. And in case it will be hashed.
fwq1sAs is FAR better than Password123, despite the latter being longer.
Complex and unique is what you want.
> 10 upper and lowercase letters (52^10) is stronger cyryptographically than
I don't think you understand what 'cryptographically' means. All that using upper and lowercase means is that there are more possible passwords.
Unfortunately password dictionaries are far more sophisticated than you seem to think they are and 56^10 is only double 26^10 which is insignificant.
> Thirdly, re hashing a hash, is exactly what hashes do. but collisions wont happen more frequently as you need to do the same work to the plaintext to get the cryptext
As he said, if that really had any value the authors of the SHA-2 hash family would have already done it.
> Fourthly and fifthly, ideally salt should be the full key space combined, so the combination of user specific and global should be that size. Using any pre known value is risky as the attacker may find this, the recommended method is random salts, (but you need to erify your entropy source)
That's just wrong.
A salt isn't an encryption key. It doesn't need to be secret, just unique. It's there solely to defeat *pre-computed* rainbow tables.