Reputation: 479
Password Case Sensitive Check
I was thinking of making a check to remember a user that their password is case sensitive in case they got their password right but forgot to use the uppercase characters in their password.
The first idea was to simply add a field with a lowercase password hash and check (when the password check failed) if the lowercase password inserted matched the lowercase
PseudoCode
if(getpasswordHash(password.toLower()) == databes_lower_hash){
writeMessage("Remember that your password is Case Sensitive")
}
- Will this lower my password security ?
- Should I use a different salt for the lowercase password and the normal password ?
- Should I just not bother and just give the message about case sensitivity everytime someone get the password wrong ?
Upvotes: 1
Views: 1516
Answers (2)
Reputation: 3649
yes, it would lower your security.
you are trying to help user by changing the usual two-state (pass/fail) scenario to three-state (pass/fail-but-you-are-near/fail) scenario. this intermediate state that you are introducing will certainly lower your security.
here is how:
say a hacker gets some hint that my password is 4 characters. if he goes sheer brute-force way then the he has to try
(26*2)^4combinations. but once you implement this, then in just(26)^4combinations he would get a ... Remember that your password is Case Sensitive ... message. from that point on, he has to try a maximum of2^4combinations for small/upper cases of each character. thus the brute-force barrier is significantly reduced.you would now have to store two hashes in your database. even if you use different salts, which you must anyway, you are again reducing the brute force barrier by half. to crack a password, the hacker can now deploy two separate computers devoted to cracking one hash each. effectively reducing the time in half.
of course these are extreme scenarios. passwords are never allowed to be 4 characters long. there would be special chars as well. there is a lean chance of a military class hacker to target your application. you dont see how on earth someone can ever steal your password-table. but all of these can be debated against. there is social engineering, system vulnerabilities, and yes even your application can attract serious hackers. all it takes for your application is to attract crowd. and with crowd comes the bad guys.
so rule of thumb is:
with security, always follow the established norms. there are landmines everywhere else.
respect everyone's password with utmost care as it those are the passwords of the bank-vault itself.
Upvotes: 6
Reputation: 61
1.) Yes of course. But to the same level like only allowing lowercase in the first place.
3.) Would be a cleaner solution.
Upvotes: 0
Related Questions
- How to check username and password case sensitive?
- Password checker for lower case, upper case, digits and symbols
- Username and password not case sensitive
- Case sensitive username and password
- How to use the case-sensitive for MySQL password field?
- Case insensitive usernames and password salts
- Password is not checking case sensitivity
- Verify case-sensitive Password in asp.net using sql server during login
- How to check case sensitive password in sql server08
- MS SQL Server 2005 - case insensitive password problem