Everything that led up to that is his fault though. So whilst the contact and the resulting damage wasn’t his fault, the fact that he was in that situation at all was.
Fully deserved imo
Very dominant, but not this dominant
I'll keep my aswer short, but first of all, usually this format enforcement is done on the client before it is ever sent to the backend, there are many reasons to limit the maximum length other than string length limitations on the database ( not that I can think of many actual good reasons).
Second of all, the client should send the actual password to the backend (allowing you validate these same password requirements on your backend), not the hashed password, hashing the password on the client side would be no better than storing the password as "plain text".
And never is the "plain text" password stored in any database, only sent over to the backend and hashed, every time you set a new password, or log in using an existing one.
That’s just not true, all of these things can be achieved without saving the password as plain text