Don't forget about internationalization. Not all language have uppercase and lowercase characters [0], and tbh I'm not sure what effect (if any) caps lock has for these. And rules for converting case can sometimes be tricky.
But it’s not core functionality, it’s just a convenience.
Making it more convenient for everybody equally is an admirable goal, but should a trivial change that makes life a bit easier for many people be scrapped just because making it easier for everyone else is difficult? Specifically here where the experience doesn’t significantly regress for anyone.
> It means the uppercase you password when generating a hash. Good lord.
No it doesn't. Say your password is "Abc1". When you sign up, they would hash "Abc1". Then when you login, say you type "aBC1". The site would first hash "aBC1" and find that it is incorrect. Then it would invert the case to "Abc1" and try again, and it would work. It's basically just automating a second attempt. In fact, I wonder if it even counts as a second failed attempt if both failed.
If someone were able to make brute force attempts on the website, it would still end up evaluating the passwords the same number of times as if the inverted case wasn't checked (the attacker would just need to invert it themselves) and in fact would likely slow down the attack because they are forced into checking inverterted case passwords. But that's moot anyway because the website limits login attempts. And if the database leaked, it's not stored any differently than if they didn't invert the case.
Of course I'm making assumptions about the implementation (I didn't know they did this until this comment) and it could be done poorly but I would hope a company as big as meta/Facebook put at least this amount of thought into it.
Whoa, let's not all freak out here (for this post and sibling posts). While I don't think I would personally do this, it only removes 1 bit of entropy because the case is swapped, and it only does that when checking the password. This does not imply they uppercase/lowercase the password prior to hashing at all, nor that foobar123 will work when the hashed password is FooBar123. Rather that fOObAR123 can be transformed by swapping case to FooBar123 and then checked against the hash.
Don't forget that the shift key makes things lowercase when Caps Lock is turned on.
No...they literally have the password you just entered. In plain text. They can change the case of that and compare against the DB hash twice. The entropy for someone trying to brute force the hashes directly is identical.
pimlottc|1 year ago
0: https://en.wikipedia.org/wiki/Letter_case#Bicameral_script
robinson7d|1 year ago
Making it more convenient for everybody equally is an admirable goal, but should a trivial change that makes life a bit easier for many people be scrapped just because making it easier for everyone else is difficult? Specifically here where the experience doesn’t significantly regress for anyone.
unknown|1 year ago
[deleted]
sroussey|1 year ago
It means that the passwords have far less entropy.
It means the uppercase you password when generating a hash. Good lord.
lhamil64|1 year ago
No it doesn't. Say your password is "Abc1". When you sign up, they would hash "Abc1". Then when you login, say you type "aBC1". The site would first hash "aBC1" and find that it is incorrect. Then it would invert the case to "Abc1" and try again, and it would work. It's basically just automating a second attempt. In fact, I wonder if it even counts as a second failed attempt if both failed.
If someone were able to make brute force attempts on the website, it would still end up evaluating the passwords the same number of times as if the inverted case wasn't checked (the attacker would just need to invert it themselves) and in fact would likely slow down the attack because they are forced into checking inverterted case passwords. But that's moot anyway because the website limits login attempts. And if the database leaked, it's not stored any differently than if they didn't invert the case.
Of course I'm making assumptions about the implementation (I didn't know they did this until this comment) and it could be done poorly but I would hope a company as big as meta/Facebook put at least this amount of thought into it.
rezonant|1 year ago
Don't forget that the shift key makes things lowercase when Caps Lock is turned on.
bheadmaster|1 year ago
And for weak passwords... Well, it's not like that one extra bit would have made a difference.
marcinzm|1 year ago
jerbear4328|1 year ago
- User types pA$$WORD1 and clicks Sign In
- Frontend sends that to the server
- Server responds "incorrect"
- Frontend tries again with Pa$$word1
- Server responds "correct" and user is logged in
Trrrrappp|1 year ago
anymouse123456|1 year ago
Also, can someone please tell me that Facebook doesn't really do this?
nekasrbenda|1 year ago