Page 1 of 1
case sensitivity in a Password
Posted: Wed May 18, 2011 11:27 pm
by ishakya
Hi,
i have a login page which is connected with a mysql database table called tbl_user.
Basically two fields :
user_name & pass_word.
Assume i have saved a user name called 'ABC' & my password is 'aBc123'.
The password should be case sensitive.
When i log in to the system i enter my user name 'ABC' & type my password as 'aBc123'.
But the problem is i can log in to the system when i enter 'abc123'.But my real password is 'aBc123'.So my guess is that the password should be case sensitive.
My server is:Apache/2.2.17 (Fedora)
PHP Version 5.3.6
mysql 5.1.56
Re: case sensitivity in a Password
Posted: Thu May 19, 2011 3:08 am
by Apollo
Sounds like you're comparing the password entered in the login form with the password stored in your database (implicitly using some case insensitive collation). WRONG.
You should NEVER store a password anywhere. Only a hash, for example:
Code: Select all
$s = hash( 'sha512' , $password.'RaNd0mSaLt-378x16y49' );
And only store (and compare against) this hash string $s.
Re: case sensitivity in a Password
Posted: Fri May 20, 2011 9:00 am
by Gopesh
Hi,U can use md5 also for encrypting the password....Never store raw password in database.Hope that it helps..
Re: case sensitivity in a Password
Posted: Fri May 20, 2011 11:37 am
by social_experiment
Gopesh wrote:Hi,U can use md5 also for encrypting the password
You could but you shouldn't. As per Apollo's example, use a stronger hash algorithm, at least sha512.
Re: case sensitivity in a Password
Posted: Fri May 20, 2011 12:10 pm
by flying_circus
Gopesh wrote:Hi,U can use md5 also for encrypting the password....Never store raw password in database.Hope that it helps..
md5 hashes, it doesnt encrypt. Encryption implies the result can then be decrypted.
To reiterate what social experiment said, md5 hashing is not suitable for passwords. Use a stronger algorithm!
Re: case sensitivity in a Password
Posted: Fri May 20, 2011 4:50 pm
by Apollo
social_experiment wrote:use a stronger hash algorithm
flying_circus wrote:Use a stronger algorithm!
and append a so cakked 'salt' string before hashing, to avoid rainbow table attacks. And preferably (unlike illustrated in my simple example) a salt string that is unique per user, sometimes referred to as 'pepper'. This reduces any brute force attempts to single passwords only (instead of all passwords at once), and avoids revealing identical passwords being used by different users.
Re: case sensitivity in a Password
Posted: Fri May 20, 2011 4:59 pm
by Apollo
Probably clear by now, but just to emphasize the point,
Gopesh wrote:Never store raw password in database.Hope that it helps..
Never store a password AT ALL - not raw, not cooked, not encrypted, not in chinese.
Hashing is, unlike encrypting (or translating into chinese for that matter) a destructive, one-way operation. The original input is lost. Which is what you want here!
The hash of a password is by no means reversible back into the original password. Two equal hashes (one stored in database, one calculated from whatever was entered in your login form) guarantee* that the password was correct, without revealing anything about the actual password itself.
(* although there's never 100% certainty in life, the probability of two different strings resulting in the same hash, is about the same magnitude as some bits being flipped in your server's memory by cosmic rays allowing a user to login with a random password - that is, completely neglectable)
Re: case sensitivity in a Password
Posted: Wed Jul 13, 2011 2:53 pm
by unplugme71
Never post what algorithm you are using either!
But yes, use a sha256 or sha512 - just make sure the column supports the proper width (eg. 64)
Re: case sensitivity in a Password
Posted: Thu Jul 14, 2011 3:21 am
by social_experiment
unplugme71 wrote:Never post what algorithm you are using either!
Knowledge is power and by knowing more the forum members can help more
Re: case sensitivity in a Password
Posted: Thu Jul 14, 2011 7:16 am
by unplugme71
and also have to worry about security with malicious people lurking the boards
Re: case sensitivity in a Password
Posted: Thu Jul 14, 2011 8:04 am
by social_experiment
Mentioning hash lengths should also be taboo then

Re: case sensitivity in a Password
Posted: Tue Sep 13, 2011 3:45 am
by timWebUK
If you know the algorithm being used, you know the length.
As everyone has been saying, hash passwords before storing. Then when the user enters a password into your form, this is then hashed and COMPARED with the stored hash. Hashes are case-sensitive, as your original requirement stated.
Check out Mordred's tutorial:
viewtopic.php?t=62782
Re: case sensitivity in a Password
Posted: Wed Sep 14, 2011 3:12 am
by VladSun
unplugme71 wrote:Never post what algorithm you are using either!
unplugme71 wrote:and also have to worry about security with malicious people lurking the boards
It's still "security through obscurity". I would prefer to post my algorithm here and get security fixes as fast as possible by using posts from other members
