[duke360]

password is not case insensitive, it looks to me that they store 4 password version (one for each variant) so they check both 4 in parallel to see if there is a match, it is not bad, it will be worst if they have the password in clear and they see if the inputted one match the stored one in one of the 4 variants (calculated on the fly) that will be bad because means that the password are in clear text somewhere :(

[Biganon]

Why store 4 versions? They just store the hash of the correct one and try hashing up to 4 versions of whatever you enter. As soon as one of those corresponds to the hash, you're in.

[varikin]

Facebook has been doing this for years and I assumed that this is exactly what they do. It saves on db space. Three extra hashes for each user adds up with that many users. And if they decide they need a new variant, they just need to release a new auth module, not recalculate hashes next time the user logs in. Or if they deem that one of these variants is no long worthwhile (for security or ux reason), again, they are not modifying the db.