IllegalArgumentException
should be your first choice whenever you get an argument that you don't like within a method (that's the very purpose of this exception). So, unless you already have (or feel the need to implement) a more specific / meaningful exception, I think it's OK to stick with IllegalArgument/IllegalState for the sake of consistency.
However, it may be a good idea to point out the specific argument that you don't like in the exception message. And by the way, Guava provides very nice support for such validations with its Preconditions
utility.
Preconditions.checkArgument(encrypted != null && !encrypted.isEmpty(), "The old password hash is empty");
Preconditions.checkArgument(plain != null && !plain.isEmpty(), "The new password is empty");
Now that you've clarified the actual question scope, I would say that you're the only one to decide whether your method should proceed if provided with null or empty arguments, after figuring out what exactly this method is supposed to check.
Based on the name of your method, I would say that it should at most disallow null
values, as empty passwords can still be matched against their encrypted representation. The "minimum password length" rule should most likely be implemented elsewhere; this method should only report whether a plain password matches a hash, disregarding whether it's a legal password or not.