Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
Lower case passwords
Just out of curiosity, does anyone know the reason behind ignoring case in admin-side passwords?
I can (sort of) understand it when generating new account passwords — because they’re temporary — but when I go and change my password and do all the good things I’m supposed to, some of my hard-crafted entropy is lost when TXP converts what I type to lower case before it’s stored.
Is there a jolly good reason for this that I can’t fathom? Some legacy database restriction? If not, can it please be changed so mixed case passwords are differentiable? Thanks.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Lower case passwords
Hi Stef,
I suspect it’s simply a way to help people avoid inadvertently locking themselves out by typing in their password in the “wrong” case without realising (Caps Lock on by mistake, for example).
Certainly where I work (a very large UK Government Department) a decision was made many moons ago to remove any case checking of passwords for this reason: calls to IT Support from folk who’d locked themselves out of various IT systems plummeted as a consequence of this “derestriction”.
Keith
Blyth, Northumberland, England
Capture The Moment
Offline
Re: Lower case passwords
Can’t reproduce this. I myself is using case-sensitiv passwords (with lower- and uppercase chars) since I use Textpattern. So all Textpattern versions I know support this.
Do you mean this or do I don’t understand your issue, Stef?
Digital nomad, sailing the world on a sailboat: 32fthome.com
Offline
Re: Lower case passwords
Actually Stef, following Trenc’s comments I’ve just tested my Admin-side password – it’s case-sensitive too…
Keith
Blyth, Northumberland, England
Capture The Moment
Offline
Re: Lower case passwords
Maybe this has to do with the mysql db which might be set as CI – (case insensitive)
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
#6 2009-03-09 01:35:33
- Mary
- Sock Enthusiast
- Registered: 2004-06-27
- Posts: 6,236
Re: Lower case passwords
Textpattern swaps it to lowercase before it creates the hash. It’s done that for a long time, so I don’t know the reasoning. There is no PHP or MySQL limitation to work around.
Offline
Re: Lower case passwords
keith wrote:
Certainly where I work (a very large UK Government Department) a decision was made many moons ago to remove any case checking of passwords for this reason: calls to IT Support from folk who’d locked themselves out of various IT systems plummeted as a consequence of this “derestriction”.
That is insane! Both upper and lower case should be required not ignored.
Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker
Offline
Re: Lower case passwords
A password consisting of eight random characters from a set of lower case letters and numbers provides 41.4 bits of entropy, while one with upper and lower case letters plus numbers has 47.6 bits. Adding a ninth character to the former password results in 46.5 bits of entropy.
Thus, expanding the set of possible password characters to mixed case is roundabout as effective as increasing the password length by one character. Adding this to the fact that upper/lower case confusions are a major cause of support cases IRL, I think that ignoring password case is a justifiable decision.
Offline
Re: Lower case passwords
Ah ok, I catch it now.
Keith, it doesn’t matter whether you choose a case-sensitiv or a lowercase password. A login is always possible with the lowercase/uppercase/mixed password variant.
I never noticed this.
The explanation by Robert seems logically to me, but it should be documented somewhere.
Last edited by trenc (2009-03-09 09:34:12)
Digital nomad, sailing the world on a sailboat: 32fthome.com
Offline
Re: Lower case passwords
keith/trenc/colak/Mary
My MySQL is indeed _ci which may explain some other things I noticed regarding searches. Thanks for the pointer.
wet
upper/lower case confusions are a major cause of support cases IRL
OTish: Having done the whole IT thing, sadly I concur. I still have trouble believing that something as simple as remembering passwords — case and all — is so tricky, but I can see how a combination of using “remember my login” checkboxes, bad IT policy, and poor education over what is a good password prevails in industry and causes the aforementioned issue. For example, an IT department that forces users to change passwords every month should be bludgeoned with a fat spoon imo, as it just breeds useless passwords.
I think that ignoring password case is a justifiable decision.
Fair enough. It wasn’t meant as a direct flame or in any way a criticism (sorry if it came over that way). I was just curious if anyone knew why it was implemented in this manner; if it was a legacy decision that was just left this way across versions or whether it had a practical basis. Your point about the marginal increase in entropy is valid and just — and also the reason I always use many more than 8 chars in all my passphrases: my old favourite used to be a variant on a nursery rhyme TgoDoY,Hh10000men : The grand old Duke of York, He had 10000 men :-)
Anyway, I’ll get back in my box. You may ignore me from hereon in, as I clearly did not do my homework.
Last edited by Bloke (2009-03-09 09:33:25)
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Lower case passwords
Bloke wrote:
Anyway, I’ll get back in my box. You may ignore me from hereon in, as I clearly did not do my homework.
Don’t. It’s fun to poke around in code which most of us haven’t had their fingers on in the first place.
Offline
Pages: 1