

WellsFargo Ignores Case Sensativity on passwords - namidark

To everyone who has a WellsFargo bank account: Call up their online banking and talk to a representative and ask for a FREE RSA token to add 2 factor authentication to your bank account.<p>Wells Fargo DOES NOT respect case sensitivity in passwords. ABC123 is the same abc123, your password strength is getting cut in half. Call and demand a free token - # is 1-800-956-4442 . Go to Account Services -&#62; My Profile -&#62; Managed Advanced Access and order the RSA token. Once you do tell them you want the charge waived.<p>After calling them and getting a call back from their IT department, they are aware of this and have no immediate fix planned.
======
Jacquass12321
Honestly this is the same argument that has been swirling around Diablo 3
recently regarding their decision to use case insensitive passwords.

The importance of case sensitivity is dramatically overblown. An appropriately
long password is still just as safe regardless of case sensitivity.

[http://en.wikipedia.org/wiki/Password_strength#Random_passwo...](http://en.wikipedia.org/wiki/Password_strength#Random_passwords)

If you examine the length versus entropy chart you'll notice that you get
identical results with only 2 more characters in your password for case
insensitive.

<http://xkcd.com/936/> also seems relevant.

This really seems like mountain out of a molehill, although I think everyone
should get 2 factor authentication whenever it's an option. I don't see any
correlation between someone choosing to use caps insensitive passwords and
clear text password storage.

~~~
Piskvorrr
Unless you're storing the passwords _reversibly_ (which is pointless, and in
90% cases means "in plaintext"), how exactly do you know _what_ to lowercase?
Sane systems store passwords _hashed_ (and salted) - and two strings,
different only in casing, will give you completely different hashes.

So: no case sensitivity => no hashes => reversible password storage => IT
Security 101 Fail.

There's a difference between a user choosing a case-insensitive password, and
the provider _changing_ the user's password to something else. As you point
out, the entropy added is not very significant; but it is very significant
_who_ makes this change in data - in a properly secured system, the provider
should have no way of getting at the user's passwords ("we have a policy"
doesn't cut it, this needs to be _technically_ infeasible - which is what
password hashing does).

Well, _of course_ their backend systems are probably uber-secure and
impenetrable, but there's no way to verify this, so you're depending on their
honor - like people did with the various companies which had their databases
hacked lately (Yahoo comes to mind - two weeks back?) and the passwords
published out on the intertubes. And, to be honest, how much value is there in
an average user's Diablo 3 account? And in an average user's _bank_ account? I
think this is the core difference.

Further reading - e.g. this: <http://dustwell.com/how-to-handle-passwords-
bcrypt.html> ("I don't see why that's an issue" != "That is not an issue")

~~~
blamarvt
I'm not sure I understand the correlation between storing a case-insensitive
value and encryption type / data storage medium.

Just because they do pre-processing on a value passed over secure means (in
this case .toLower() or toUpper() or equiv.) before inserting it into a
database doesn't hint at all at what format is being chosen for storage.

It's a silly thing to do and might hint at stupidity, but it's not "IT
Security 101 Fail" unless more information can be ascertained.

~~~
Piskvorrr
If you're doing one irreversible transformation on the string (hashing), doing
another (lowercasing) is quite pointless. This doesn't _prove_ use of a
reversible storage, but it's a very, very strong indicator. "If you hear
hooves, it's probably horses, not zebras."

~~~
Firehed
No, it does not. Here's a sample:

    
    
      function checkPassword($user, $posted_password) {
        return bcrypt(strtolower($posted_password), $user->saved_hashed_password) === $user->saved_hashed_password;
      }
      function setPassword($user, $posted_password) {
        $user->saved_hashed_password = bcrypt(strtolower($posted_password), generateSalt());
      }
    

Lowercasing the password before hashing (both on save and check) indeed lowers
the strength of the password, but it saves a lot of support headache from
users that have caps lock turned on, or your mobile device auto-capitalizes
the first letter. Facebook does this, although in a better way:
[http://www.zdnet.com/blog/facebook/facebook-passwords-are-
no...](http://www.zdnet.com/blog/facebook/facebook-passwords-are-not-case-
sensitive-update/3612)

While we can't know without looking at their implementation, it's certainly
possible and indeed fairly easy to build a forgiving system without having the
password stored in a reversible format.

~~~
Piskvorrr
Hmm, this would indeed be a simple, yet non-catastrophic explanation (and
useful UX to boot). That would make sense; and if this were the case, I'd be
glad I was wrong.

------
Piskvorrr
"your password strength is getting cut in half" - which is only the icing on
the cake. As soon as the other side manipulates the _plaintext_ version of
your password, it is reasonable to assume that _THEY ARE PROBABLY STORING THE
PASSWORD REVERSIBLY_. Whoa. (To be precise, they _could_ be lowercasing the
password client-side; but every case of "hello, we've mutilated your password"
I've seen so far has been down to "oh, and we're storing it in plaintext; is
that bad?").

------
Hkr4294967296
Most banks consider a password to be a form of security theater (and quite
rightfully so). Banks monitor many other aspects of the login (e.g., IP
address, date/time, computer, what you do when you log in, etc.). Even if
someone knows your password they will not necessarily be able to conduct a
transaction on your behalf. Case sensitivity only adds an extra bit of entropy
(possibly even less since I suspect the average user employs lower-case
characters more frequently).

------
dopp
Sensitivity?

