It was recently brought to my attention that a certain big bank website allows u

Question

It was recently brought to my attention that a certain big bank website allows users to log in with passwords that are not case sensitive. After confirming this, I checked other websites I bank with and found a second big bank website that does the same thing. I did not check their mobile clients.

To me it seems like this lowers security, as this increases the number of unique passwords that can be used to log in to my account. Is there a common reason and/or justification for this from a security standpoint? The top non-security reason I could come up with is that it reduces calls to the helpdesk related to case sensitive passwords.

Explanation / Answer

Typically, it is a choice between usability and security. Users have a surprising amount of trouble with capitals in password so capitalizing password before hashing them makes it easier on the user.

Of course, that also decreases the maximum entropy of a password of a given length. To compensate, you should use longer passwords... If you're lot limited to some silly number like "10 characters max" (in which case you're entitled to wonder if they are really handling passwords in a secure manner).

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.