For most websites, we don’t have the source code available. As a user, we more or less trust the site is doing “the right thing”, or well, we just use a throw away password that we accept to be compromised.
Sometimes, it is obvious. For example the site is sending you your password in the clear. Other times, it is less obvious. Usually, if a site is imposing limits to your password, like the length or it doesn’t allow certain characters, you can guess that your password will be stored in the clear.
The reason is simple: If the password is hashed, then it doesn’t matter how long it is, or what characters it uses. It will always end up as a fixed length hex string. SHA1 creates 20 bytes (40 hex characters), MD5 creates 16 bytes (32 hex characters). The one exception may be if the code uses a database function to do the hash. For example some pseudo code:
$hash=md5($password); update users set passwordhash='$hash'
In this case, it doesn’t matter if the password includes a single quote or whatever. However, it could matter in the following snippet:
update users set passwordhash=sha1($password)
(Needless to say, I wouldn’t use dynamic SQL like this, but this is the topic of another blog post).
The length of the password is typically limited, if stored unencrypted, because the database table was defined with a certainl length for this field. Maybe even worse: If you are not told about it, your password maybe truncated “silently”.