Accepting same password in both upper and lower case

Question

I am facing a strange issue now. I have a login page in ASP.NET MVC which accepts username and password from the user. When user clicks on Login button, the form is submitted back to the controller with the entered data.

Then I use below code to check if it is a valid login :

var isValidLogin = (from user in dbEntities.usermasters
                     where (user.userName.Equals(login.username) && user.password.Equals(login.password))
                     select user).Any();

isValidLogin is returning true for both cases. ie if the password is pwd and user enteres PWD it is returning true. Would appreciate some valuable suggestions.

Answer 1

I think SQL Server's default collation is case-insensitive. You can set the collation at a server, table or column level.

To check your server collaction:

SELECT SERVERPROPERTY('COLLATION')

In my case, it's: Latin1_General_CI_AS. This CI stands for case insensitive.

You may be confused about string.Equals being case insensitive but it's actually converted to a query in LINQ to Entities.

You can change the collation of the password column to case sensitive one if you want.

PS

It's really not recommended to store passwords in plaintext. If you're database, or it's backup gets compromised, you're doomed. The recomendation is storing them as salted hashes. Everytime the user logs in, you apply the hash + salt to the password and compare it with what is stored in the database. Hashes are not reversible.

Also, if you use hashes, it will be case sensitive as a bonus :)