Full Version: Should passwords be case-sensitive?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Just an idea for more security.
that doesn't increase security much.
While it's not too useful security-wise to make passwords case-sensitive (the added security of this can be compensated by making your password two letters longer), there are security issues with case-insensitivity, mostly regarding how passwords are matched.

There are two ways of making passwords case-insensitive: case normalization (i.e., convert all passwords to uppercase (or lowercase) before matching them) and case-insensitive comparison (i.e., treating two letters that differ only in case as the same letter when comparing passwords).

There is nothing inherently insecure about case normalization, but it does require doing some processing over clear-text passwords, which are always a liability. Also, if non-ASCII characters are allowed, this poses a problem with some alphabets, because not every alphabet has a clean one-to-one match between every uppercase and lowercase letter — some alphabets have multiple forms for some letters, some letters only exist in uppercase or lowercase, and some alphabets don't have a concept of case at all. This causes password matching to become intransitive (A matching B and B matching C doesn't guarantee that A will match C), which can actually lock some people out of their accounts should the case normalization go wrong.

On the other hand, case-insensitive comparison, at first glance a simple and effective solution, is immensely dangerous. One of the main design principles to follow when a password-based authentication system is designed is to never store passwords. The server must never store users' actual passwords, or any data from where the password can be derived (such as encrypted passwords) — this is a liability if the server is compromised. The approach used by almost every properly-designed service nowadays is to store a one-way hash for the password plus a known salt (and match the corresponding salted password hash to this stored hash to authenticate the user), thus rendering all password data useless to any attacker — should someone hack the database and gain access to the password data, they'll find nothing of use. The downside of this approach is that the server has no access to the actual password (since the whole purpose of this approach is to make passwords entirely inaccessible). In order to perform a case-insensitive comparison, the server would need access to the actual stored password (since it needs to compare it in a case-insensitive way to the entered password, something that cannot be done through one-way hashes), which renders this approach infeasible, and nullifies the security that it gives. Thus, case-insensitive comparisons actually expose every account and every password unnecessarily, despite they are an otherwise very simple approach.

All in all, while case sensitivity doesn't add much by itself in terms of security, the opposite is unnecessarily harmful and problematic. Passwords must always be case-sensitive in every service that uses them.
Reference URL's