

Blizzard passwords: not case-sensitive - lordlarm
http://us.battle.net/d3/en/forum/topic/5152409863?page=1#4

======
baddox
A year or so ago this was also the case with Facebook [0]. I believe it's a
simple compromise between user experience and security. You can probably
eliminate a large portion of user frustration this way. Before you
instinctively respond with something like "but security should be the NUMBER
ONE priority," realize that you're _always_ making a compromise between user
experience and security, and in fact, the two aren't even orthogonal. You
could require users to purchase and use biometric scanners to authenticate,
but that would likely be very frustrating. Or, you could require users to use
a 50 character password with tons of entropy, but that would probably just
lead to users leaving, or (perhaps worse) writing their password on a note
stuck to their monitor.

[0] [http://www.zdnet.com/blog/facebook/facebook-passwords-are-
no...](http://www.zdnet.com/blog/facebook/facebook-passwords-are-not-case-
sensitive-update/3612) —Actually, Facebook wasn't completely case insensitive.
It only accepts the chosen password and a version with every character's case
inverted.

~~~
sturmeh
They gave a pretty good reason for that, case inversion occurs naturally if
you have capslock on.

It doesn't make the password any less secure. (It's actually only one other
password.)

They also allow you to change the first letter to caps, which accounts for
phones that capitalise the first letter of every sentence you type.

~~~
baddox
> _It doesn't make the password any less secure. (It's actually only one other
> password.)_

It _does_ make your password less secure, it's just that Facebook judged it an
acceptable compromise between user experience and security.

------
sturmeh
Try making your passwords longer instead of making them harder to enter.

That is to say "usingthisasapassword" is ~4 million times better than using
"p4ssWOrd!".

------
g0su
Actually, I don't see that as a big deal. Maybe it could be tweaked to have
only the first one sensitive or try the all-caps/no-caps. But still, it's all
in the length of the password. I prefer to have that rather than someone
forcing me to use a 6-8 characters password with at least one cap, one special
or any of this bullshit.

~~~
frio
I would be _very_ interested, however, to know what this implies about the way
they store their passwords. If, on submission, they normalise the case it and
then hash it (and then for all checks, normalise the supplied pw)... then,
it's still not really acceptable, but at least the password I've given them is
encrypted.

~~~
ubercore
Pedant alert! Hashing is not encryption.

~~~
lawnchair_larry
Pedant alert, hashing is still a form of encryption. Take a look at what
crypt(3) used to do ;)

------
firloop
I find it funny how eager the community manager is to admit the flaw.

