[Retric]

I don't think checking every hash within one of the password is going to cost much, worst case your checking less than 1,000 passwords. However, I would much rather a system that checked 2 passwords one with and one without the caps lock on. AKA 1Password and 1pASSWORD.

[nbpoole]

"I don't think checking every hash within one of the password is going to cost much, worst case your checking less than 1,000 passwords."

If that's the case, you're doing it wrong (it being password hashing). Because if you can hash 1000 passwords fairly quickly, that's the lower bound of what a dedicated attacker can do. ;)

[mgkimsal]

If Amazon is letting someone attempt 1000 failed login attempts, even over several hours or a day, they're doing something wrong.

[nbpoole]

You also have to consider the possibility of an offline attack (ie: if Amazon's database were compromised and password hashes were leaked).

[MartinCron]

Storing the CAPS LOCK and non caps lock hashes of a password seems utterly brilliant. I'm tempted to start doing that.

[sparky]

Might improve user experience a bit, but your password hashing scheme needs to take much longer if an attacker knows he can rule out lower-case letters.

For example, 8-character alphanumeric passwords:

((26*2)+10)^8 / (26+10)^8 = 77.4

You have 77 times fewer passwords of length 8 (probably worse than that, most people skew more towards letters than numbers), so it should take 77 times longer to test one.

[Retric]

Caps lock does not remove lowercase letters, it swaps upper and lower case. <Caps Lock> + <Shift> <a> = a.

PS: Try it: ASdf becomes asDF.

[epochwolf]

I think caps lock works differently on macs. I remember it making everything uppercase, regardless of whether the shift key was pressed.

My Mac is running Windows at the moment and I can't reboot into OSX to test for several hours, so someoneelse will have to confirm or deny this.

[epochwolf]

Confirmed, capslock on OSX makes all letters uppercase. Shift is ignored.