[frio]

I would be very interested, however, to know what this implies about the way they store their passwords. If, on submission, they normalise the case it and then hash it (and then for all checks, normalise the supplied pw)... then, it's still not really acceptable, but at least the password I've given them is encrypted.

[baddox]

Why isn't that technique (normalizing then hashing) acceptable? There is always a compromise between user experience and security. Why allow three character passwords, or passwords of "password", but not case insensitive passwords?

[ubercore]

Pedant alert! Hashing is not encryption.

[SquareWheel]

Hashing is one way, and encryption is two way -- correct?

edit: Might as well look it up. The user "bestsss" at Stack overflow confirms this is the case.

http://stackoverflow.com/questions/4948322/fundamental-diffe...

[lawnchair_larry]

Pedant alert, hashing is still a form of encryption. Take a look at what crypt(3) used to do ;)

[GuiA]

Why isn't it acceptable to normalise the password and then hash it, compared to just hashing it?

[frio]

Because the search space for brute-forcing a password is massively reduced :). Suddenly, instead of having 62 possibilities per password character (assuming alphanumeric + no specials), there's only 36. Whereas a password like "PassWord123" might have gotten past a wordlist (well, that's unlikely, but...), "password123" certainly wouldn't.

[GuiA]

Thanks!