0

I use Authlogic in my app and I want to make things more convenient for my users by ignoring capitalization when I check their passwords (similar to what facebook does)

What's the best way to implement this?

Also, how can I transition existing users to case-insensitive passwords? I.e., I assume I have to resave what is now crypt(password) as crypt(password.downcase)?

Tom Lehman
  • 85,973
  • 71
  • 200
  • 272
  • 1
    I don't understand why people ever want to do this. it makes brute forcing weak passwords thousands of times easier. The minimum threshold of a "secure" password goes from about 8 characters to about 13. – Wug Jul 25 '12 at 19:55
  • You sir are the voice of reason. I wish more people would understand that just because facebook does it it doesn't mean it's a good idea in the first place. Blizzard does it as well. – vise Jul 25 '12 at 20:01
  • facebook does this? brb checking – Wug Jul 25 '12 at 20:04
  • Facebook doesn't do this. You scared me there for a minute. – Wug Jul 25 '12 at 20:10
  • DOES it make brute forcing weak passwords materially easier? Unless you force users to use a combination of characters (which is SUPER annoying IMO), everyone's password will be all lowercase (or all uppercase, depending on whether caps lock is on) – Tom Lehman Jul 26 '12 at 00:21
  • FYI Facebook used to do this - back 2012, not anymore – Mike Causer Aug 20 '18 at 00:48

0 Answers0