

Citi's Curious Password Handling - kencausey

For about the last week while I have been able to login to Citi&#x27;s website to access my account, once I actually tried to get the details for the account I was redirected to a page indicating that there was a temporary problem and that I should try again later.  Finally today I gave them a call.<p>Their first suggestion surprised me:  I had used punctuation symbols in my password and I was told that while this had worked for years, only letters and numbers are allowed in passwords now.  So I reset my password as directed and used only letters and numbers.  The problem persisted.  I was then asked if I had used upper case letters.  I admitted that I had used a combination of numbers, upper case, and lower case letters.  At this point I was rolling my eyes but was going to go ahead and reset my password again.  But I was told that in fact there was no need to reset my password, simply use the same password but wherever I had specified an upper case letter, use the lower case version.<p>And this worked.  Despite the fact that I had specified my password with a mix of upper and lower case I can login either with the mix of upper and lower case or with every letter in lower case.<p>Are there hash algorithms which are upper and lower case agnostic?  Or should I assume that they store a hash of both the original password form and a lower cased version?<p>The story goes on but the verdict finally was that Chromium on Linux is not acceptable, but IE 11 on Windows 7 is, and I was finally able to download my most recent statement.  I guess it&#x27;s a good thing that I like to play computer games and so keep a Windows installation handy.
======
wikwocket
Don't try to overthink it. The sad truth is that password management is a
total boondoggle, especially for banks. This is due to a huge body of
superstition and cargo-cult policies on how to do it, how everyone else is
doing it, and how the mess of regulations concerning password/credit card info
tell you to do it.

There are of course best practices concerning how to correctly, securely, and
safely manage passwords, but these pale in comparison to all the "common
knowledge" about proper "password rules" and "encryption methods" out there.

Many banks will limit password length, limit your character set, forbid non-
alphanumerics, auto-lowercase, choose an obvious login for you, limit you to
easily-google-able "secret" questions, and prevent you from pasting in a
password from a password manager app, and do other things that limit your
ability to choose secure credentials. These days you are lucky if your bank
lets you actually choose a password instead of just assigning you an
unchangeable 4-digit numeric PIN!

~~~
grumps
It's maddening, maddening I tell you.

------
kencausey
I have to assume that the tech support person's idea that my problem was
related to my password (punctuation characters, upper case letters) was
nothing more than technical superstition. I'm often surprised how often I seem
to run into what I can only consider superstition when talking to first level
technical support personnel.

------
alexkus
> Are there hash algorithms which are upper and lower case agnostic? Or should
> I assume that they store a hash of both the original password form and a
> lower cased version?

The hash may not be case insensitive, but I've seen plenty of code in and
around password handling code that forces all letters to be lower/upper case
prior to hashing.

(There's rarely ever any explanation as to why, nor anyone still around who
admits to writing that code.)

~~~
kencausey
Of course, I don't know why I didn't simply assume that whenever the password
is handled it is lower cased.

Confession: I worked on a website where this was done both for usernames and
passwords (about a decade ago). The justification at the time was that the
users could not be expected to understand the difference between upper and
lower case letters (or something to that effect). I suppose that justification
continues to play well.

~~~
bmelton
I usually lowercase usernames before storing them in the DB, which saves a lot
of mental effort later on -- specifically, where usernames are used as keys
(like "website.com/users/username/"), but I've always chosen to preserve case
on passwords as a security measure (being able to tell somebody your password
without actually telling them your password is valuable, if only in extremely
rare situations). It's odd to me that someone like a bank would choose the
other way.

------
grumps
I consistently find myself in similar situations. I've found some sites drop
characters after a certain limit. Some sites only allowing numbers and
letters.

It's truly maddening that these people are just awful. I wish there were a way
to get them to change their rules.

