undefined | Better HN

0 pointsstanmancan8y ago0 comments

Not true, they most likely convert all characters to a certain case before they hash it, so even if you entered PASSworD123 they convert to password123 and then hash.

I believe I read that Facebook stores a few commonly mistyped versions of everyone's password. Actual password, typed as if caps lock was on, things like that.

0 comments

criddell8y ago

That's a good point. I'm pretty sure my bank is storing the password because they also limit it to some (small) number of characters. I'm guessing it's because the web interface is just passing it on to some ancient back-end system.

JadeNB8y ago

> I'm pretty sure my bank is storing the password because they also limit it to some (small) number of characters.

I love how it's always the banks with these ridiculous password practices. I'm really glad that it's not some site where the password is protecting important information.

Buge8y ago

That reduces password entropy and makes the hashes easier to crack.

stanmancanOP8y ago

I didn't say it's a good idea, it's awful, just pointing it out though.

cm21878y ago

Well, does it? Even if you crack it you don't have the correct casing. So you don't have the original password. Of course doesn't help if every other website converts to lower case too.

But if you use bcrypt you can partially compensate by using a higher work factor.

OJFord8y ago

> Well, does it? Even if you crack it you don't have the correct casing.

The 'correct casing' is any member of the set of all permutations of cases. So you both do, don't, and do not care.

mark-r8y ago

Sure, it's possible to do it that way. But if I were taking bets, I know where I'd put my money.

j / k navigate · click thread line to collapse