undefined | Better HN

0 pointscriddell8y ago0 comments

How about case insensitive passwords? That one always bugs me because it suggests that maybe they are storing the password.

0 comments

skylark8y ago

Case insensitive passwords is entirely a business decision. Banking websites in particular have huge numbers of non tech savvy customers. When they forget their password or type it in incorrectly, they don't go to the password reset form, they call into customer support. This costs an enormous amount of money.

Banks figured the cost of reimbursing people if their account is compromised is lower than the cost of having to field all of those phone calls.

Source: Used to work at a bank.

criddellOP8y ago

Yeah, that makes sense.

Once after my account was stolen from, I did a careful look at the website and sent in a list of questions and complaints about their practices. After enough bugging, a person eventually called me. The bottom line was essentially that I shouldn't be concerned because I'm not responsible for fraudulent withdrawals. It wasn't very satisfying.

The thieves got away with around $2400.

stanmancan8y ago

Not true, they most likely convert all characters to a certain case before they hash it, so even if you entered PASSworD123 they convert to password123 and then hash.

I believe I read that Facebook stores a few commonly mistyped versions of everyone's password. Actual password, typed as if caps lock was on, things like that.

criddellOP8y ago

That's a good point. I'm pretty sure my bank is storing the password because they also limit it to some (small) number of characters. I'm guessing it's because the web interface is just passing it on to some ancient back-end system.

JadeNB8y ago

> I'm pretty sure my bank is storing the password because they also limit it to some (small) number of characters.

I love how it's always the banks with these ridiculous password practices. I'm really glad that it's not some site where the password is protecting important information.

Buge8y ago

That reduces password entropy and makes the hashes easier to crack.

stanmancan8y ago

I didn't say it's a good idea, it's awful, just pointing it out though.

cm21878y ago

Well, does it? Even if you crack it you don't have the correct casing. So you don't have the original password. Of course doesn't help if every other website converts to lower case too.

But if you use bcrypt you can partially compensate by using a higher work factor.

1 more reply

mark-r8y ago

Sure, it's possible to do it that way. But if I were taking bets, I know where I'd put my money.

chefandy8y ago

I've seen people write hash functions which change the input to all lower or upper case first. I think it's a pointless, stupid idea– maybe unless it's a VERY low-risk system for people with cognitive disabilities, kids or seniors– but not necessarily unhashed-password-level stupid.

asteli8y ago

facebook logins work this way (sort of). they account for flipped case (caps lock on) and for passwords that accidentally have the first letter capitalized.

thesuitonym8y ago

I knew I was forgetting something!

j / k navigate · click thread line to collapse

0 comments

skylark8y ago

Banks figured the cost of reimbursing people if their account is compromised is lower than the cost of having to field all of those phone calls.

Source: Used to work at a bank.

criddellOP8y ago

Yeah, that makes sense.

The thieves got away with around $2400.

stanmancan8y ago

Not true, they most likely convert all characters to a certain case before they hash it, so even if you entered PASSworD123 they convert to password123 and then hash.

I believe I read that Facebook stores a few commonly mistyped versions of everyone's password. Actual password, typed as if caps lock was on, things like that.

criddellOP8y ago

JadeNB8y ago

> I'm pretty sure my bank is storing the password because they also limit it to some (small) number of characters.

I love how it's always the banks with these ridiculous password practices. I'm really glad that it's not some site where the password is protecting important information.

Buge8y ago

That reduces password entropy and makes the hashes easier to crack.

stanmancan8y ago

I didn't say it's a good idea, it's awful, just pointing it out though.

cm21878y ago

Well, does it? Even if you crack it you don't have the correct casing. So you don't have the original password. Of course doesn't help if every other website converts to lower case too.

But if you use bcrypt you can partially compensate by using a higher work factor.

1 more reply

mark-r8y ago

Sure, it's possible to do it that way. But if I were taking bets, I know where I'd put my money.

chefandy8y ago

asteli8y ago

facebook logins work this way (sort of). they account for flipped case (caps lock on) and for passwords that accidentally have the first letter capitalized.

thesuitonym8y ago

I knew I was forgetting something!

j / k navigate · click thread line to collapse