Hacker News new | ask | show | jobs
by blamarvt 5083 days ago
I'm not sure I understand the correlation between storing a case-insensitive value and encryption type / data storage medium.

Just because they do pre-processing on a value passed over secure means (in this case .toLower() or toUpper() or equiv.) before inserting it into a database doesn't hint at all at what format is being chosen for storage.

It's a silly thing to do and might hint at stupidity, but it's not "IT Security 101 Fail" unless more information can be ascertained.
1 comments
Piskvorrr 5083 days ago
If you're doing one irreversible transformation on the string (hashing), doing another (lowercasing) is quite pointless. This doesn't prove use of a reversible storage, but it's a very, very strong indicator. "If you hear hooves, it's probably horses, not zebras."
link
Firehed 5083 days ago
No, it does not. Here's a sample:

  function checkPassword($user, $posted_password) {
    return bcrypt(strtolower($posted_password), $user->saved_hashed_password) === $user->saved_hashed_password;
  }
  function setPassword($user, $posted_password) {
    $user->saved_hashed_password = bcrypt(strtolower($posted_password), generateSalt());
  }
Lowercasing the password before hashing (both on save and check) indeed lowers the strength of the password, but it saves a lot of support headache from users that have caps lock turned on, or your mobile device auto-capitalizes the first letter. Facebook does this, although in a better way: http://www.zdnet.com/blog/facebook/facebook-passwords-are-no...

While we can't know without looking at their implementation, it's certainly possible and indeed fairly easy to build a forgiving system without having the password stored in a reversible format.

link
Piskvorrr 5081 days ago
Hmm, this would indeed be a simple, yet non-catastrophic explanation (and useful UX to boot). That would make sense; and if this were the case, I'd be glad I was wrong.
link
Jacquass12321 5083 days ago
Again I'm not seeing how a to_lower on a string in any way implies plain text storage. There's no indicator at all frankly. It was a 2 minute decision by whoever implemented the user input and has negligible impact on password entropy.
link