1

I was thinking of making a check to remember a user that their password is case sensitive in case they got their password right but forgot to use the uppercase characters in their password.

The first idea was to simply add a field with a lowercase password hash and check (when the password check failed) if the lowercase password inserted matched the lowercase

PseudoCode

if(getpasswordHash(password.toLower()) == databes_lower_hash){
           writeMessage("Remember that your password is Case Sensitive")
}
  1. Will this lower my password security ?
  2. Should I use a different salt for the lowercase password and the normal password ?
  3. Should I just not bother and just give the message about case sensitivity everytime someone get the password wrong ?
Improve this question
1
  • A better approach would to maybe implement a password policy with a rule of at least one upper and one lower case letter. This could be validated when the user tries to log in and they get the case sensitive message if the password that they are attempting does not pass the policy. Commented Nov 20, 2013 at 17:52

2 Answers 2

Reset to default
6

yes, it would lower your security.

you are trying to help user by changing the usual two-state (pass/fail) scenario to three-state (pass/fail-but-you-are-near/fail) scenario. this intermediate state that you are introducing will certainly lower your security.

here is how:

  1. say a hacker gets some hint that my password is 4 characters. if he goes sheer brute-force way then the he has to try (26*2)^4 combinations. but once you implement this, then in just (26)^4 combinations he would get a ... Remember that your password is Case Sensitive ... message. from that point on, he has to try a maximum of 2^4 combinations for small/upper cases of each character. thus the brute-force barrier is significantly reduced.

  2. you would now have to store two hashes in your database. even if you use different salts, which you must anyway, you are again reducing the brute force barrier by half. to crack a password, the hacker can now deploy two separate computers devoted to cracking one hash each. effectively reducing the time in half.

of course these are extreme scenarios. passwords are never allowed to be 4 characters long. there would be special chars as well. there is a lean chance of a military class hacker to target your application. you dont see how on earth someone can ever steal your password-table. but all of these can be debated against. there is social engineering, system vulnerabilities, and yes even your application can attract serious hackers. all it takes for your application is to attract crowd. and with crowd comes the bad guys.

so rule of thumb is:

  1. with security, always follow the established norms. there are landmines everywhere else.

  2. respect everyone's password with utmost care as it those are the passwords of the bank-vault itself.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Image
Yeah, I tought it wasn't a good idea while I was writing the question. If someone steal the db, they can do a much easier attack on the hashes that they know are case insensitive and then use the insensitive ones to check for the case sensitive passwords.
0

1.) Yes of course. But to the same level like only allowing lowercase in the first place.

3.) Would be a cleaner solution.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.