If a website stores passwords as a salted hash, is it reasonable to accept simil

Question

If a website stores passwords as a salted hash, is it reasonable to accept similar passwords as correct?

For example, given the password stackexchange, does it dramatically decrease security if the website were to accept stackexchange, Stackexchange, or STACKEXCHANGE? The thinking here is that this will be easier for users. The first is the exact password, the second is in case the browser capitalizes the first character of their password, and the third password has inverted case, in the scenario where the user has Caps Lock on.

If someone were to get a hold of this database and try cracking the passwords, would allowing these additional combinations significantly reduce password strength?

Explanation / Answer

The simple answer is not really. The easiest way to achieve this would be to use a .ToLower() before salting and hashing, and the same when password checking.

However it is worth spending some time thinking about why you would bother. It isn't the browser doing the capitalisation after all, it is the user. It is no different from using @ instead of A or 3 instead of e.

In principle you should accept whatever the user enters as their password without messing with it.

Also, research seems to indicate that password length and not complexity is the best way to go Measuring the Effect of Password-Composition Policies.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.