If they invalidated the password when you logged in then this is possible even if the password is hashed because you just gave it to them.

This isn't necessarily true (and is very dependent on what your password was) - they could have iterated through lists of common passwords w/ special characters, hashed them, and compared them to their DB, forcing a pw reset for everyone that had a match.

edit - just want to state that if they disallow special characters it really is a terrible policy, my point is just that resetting your password isn't proof they are stored in plaintext

I doubt they did this, but I was just thinking about this problem--

Maybe they could have analyzed the plaintext password and stored information about the types of characters it contained and number of characters. Then they salt+hash the plaintext password and store the resulting hash. Now they know a little about the characters and length of the password without knowing the password itself.

Again, I doubt they did this.

Not salting passwords in 2018 is also idiotic lunacy.

This same exact strategy works with a salt as well.

He might have been referring to user specific salts? It would certainly be a lot more challenging for them to test every common password with every user's salt.

I had same reaction over weekend when I reset my password. I tried to use 20 char length with some special characters and their "validation" blocks it. Poor password management irritates me to no end.

Did you get an email saying this, or did this happen when you logged in? At login they could examine the password you sent, check if it matched their hash, and then prompt you to change it.

They allowed me to put a slash in my password. Did this happen within the last two weeks?