[weird-eye-issue]

If your storing millions of passwords surely a version field and an if statement is not going to be a huge concern

[Raed667]

It is definitely more complicated than changing the case and running the hash again

[weird-eye-issue]

is_password_valid = hash_password(normalize_password_case(password) if version == 1 else password) == hashed_password

[pixl97]

Are we doing this client side or server side?

If you're actually using a 'strong enough' hash to prevent easy cracking if your hashed password database is leaked then you're doubling the server load which can be quite substantial in some cases.

[weird-eye-issue]

It's only being hashed once...

And obviously this is server side

[markenqualitaet]

Why?

[pawelmurias]

Because you are changing the daabase schema to introduce a stupid version field to store "normalized" passwords rather then just doing the check twice on mobile platforms.

[weird-eye-issue]

Hashing takes a lot of CPU time. And btw you don't even need to change the database schema. You could encode the version in the password field itself. Django does this and it works great

[pawelmurias]

The database would contain existing passwords without normalization. You also you have to hold the unnormalized password. Super silly to do that to save a few processor cycles on login.

[weird-eye-issue]

It's amazing how much misinformation is in this thread. You should do further reading on password hashing and rethink whether you really have to store two different passwords...

[kaba0]

Hashing one or two 10 char strings takes basically no time on even old mobile hardware.

[spookthesunset]

Good password hash algorithms specifically are designed to take a while. They add latency to the subsequent page load when you click “submit”.

[weird-eye-issue]

Not if you are using algorithms specifically designed to take a lot of CPU time, which is a best practice

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpubli...