|
|
|
|
|
|
by Firehed
5083 days ago
|
|
|
No, it does not. Here's a sample: function checkPassword($user, $posted_password) {
return bcrypt(strtolower($posted_password), $user->saved_hashed_password) === $user->saved_hashed_password;
}
function setPassword($user, $posted_password) {
$user->saved_hashed_password = bcrypt(strtolower($posted_password), generateSalt());
}
Lowercasing the password before hashing (both on save and check) indeed lowers the strength of the password, but it saves a lot of support headache from users that have caps lock turned on, or your mobile device auto-capitalizes the first letter. Facebook does this, although in a better way: http://www.zdnet.com/blog/facebook/facebook-passwords-are-no...While we can't know without looking at their implementation, it's certainly possible and indeed fairly easy to build a forgiving system without having the password stored in a reversible format. |
|
|