Blacksmith forging a sword the old fashioned way, the way we make websites
Welder creating a metal sculpture in the same craft genre as we use to create websites
Men working in a metal forge using time tested methods to do their craft using the same ethic we use to create websites
A violin maker patiently working his craft the way we make websites
Very high quality wood carver creating a piece for a church- we do websites to the same standard
A blacksmith making an implement the way blacksmiths have for generations - we take our inspiration from this
The violin maker paying attention to the minutest of detail, the same way we do with websites
Photographer that's climbed to the top of a mountain to get the perfect shot; we go to these legnths too
The violin maker getting the minutest of detail right, just like we do with websites
Photographer photographing technical drawings
Jeweler examining some microscopic detail on a ring - we scrutinise ourt work the same way with old fashioned values
Stone carver making a filial for a listed building. We take the same care when we create websites
A vintner examines the quality of his wine the same way we produce websites - they're not finished until they're right
Home » Blogs » Dewi's blog

Password security, or Ease of Use?

Submitted by Dewi on Thu, 03/02/2006 - 02:45

Should a login system be case insensitive?

Short answer: Yes. But numbers/symbols should be required.

Long answer: One of the most common mistakes made when logging in is to have the caps lock key pressed. In studies, significant proportions of support calls are simple case-sensitivity issues with usernames or passwords.

Some login systems address this issue by detecting when the username and password are all uppercase, and displaying a message “you entered your username and password in all capitals.”

While the programmers of such systems are trying to be friendly and helpful, this has a tendency to instead to intensely annoy users: ask why, if someone went to all the trouble to write a system that would notice that they made that mistake and display the message, it could not simply deal with the problem itself, and log them in. Why does the system go out of its way to make them feel stupid, rather than simply using a little intelligence itself?

In my experience, annoyed, shamed users also tend to become more scared of the system, and more prone to making mistakes, but I don’t think anyone’s ever enumerated the effects this could have on the support overheads.

Making logins case-insensitive means that if the username DewiMorgan accidentally logs in as dEWImORGAN (which would not be detected by the above all-caps warning system, even though it’s clearly a caps-lock problem), DEWIMORGAN, or dewimorgan, it doesn’t mind, and will happily log the user in without any annoying errors.

Now, this feels like a drastic reduction in security: it’s removing 26 possible characters of randomness, for EVERY LETTER of the password. That’ll be 26 x 26 x … LOTS of possibilities removed!

However, it turns out that case-sensitivity is not in fact a significant factor in security: it is equivalent to rather only a single bit of “randomness” information per alphabetic character of the password (and zero information loss on numeric or symbol characters, of course). For a given seven character alphanumeric password, with no symbols, it reduces the number of possible combinations from:
(26 + 26 + 10)^7 =~ 3,521,000,000,000 combinations,
to:
(26 + 10)^7 =~ 78,000,000,000 combinations.

If this is felt to be a significant security risk, you could add one character to the password length, bringing the total up to three quintillion combinations again.

Another option is to use punctuation characters (!”£$%^&*_+~-=#(){}[]<>:@;’?,./`|\), but that’s barely more effective than adding one more character. If you use every possible symbol on the UK keyboard and give them all the same probability of occurring in the password as the alphanumerics, then you only end up with an increase to seven quintillion combinations, at the expense of making the password hugely harder to memorise because you end up with passwords like “%z*h42+”, and most people can’t remember punctuation as well as they can remember alphanumerics. So they’ll write it down, and your security is promptly useless.

So, am I arguing that passwords should be purely alphanumeric? No. There are two reasons for this.

Firstly, users should be permitted to use a high security password if they they like: that the login system treats it case insensitively can be transparent to them.

Secondly, users will, if permitted, use dictionary words for passwords. Requiring that at least one of the letters is not normally found in the dictionary will restrict this tendency, though they’ll normally either replace letters with 100ka1ike (hara(ter$, or will stick the character they’re forced to use on the end of the word. Certainly, they will tend not give numerics and symbols as high a significance in their symbol set, and crackers will know this, trying for combinations with only one or two symbols to begin with.

However, I definitely AM arguing for LONG passwords. Each alphanumeric letter adds a little over 5 bits of information to the password. A sequence of erratically spelled dictionary words would be far greater protection and easier to remember than any complex but shorter sequence, and would also be faster to type.

ter qik broun foux jumpies ouver da layz dorg”

To brute-force this using just the letters of the alphabet plus space would take:
27^46 possible combinations: something like
69,619,860,913,088,559,769,513,602,159,355,000,000,000,000,000,000,000,000,000,000,000
7 x 10^64

£$IUOPI^G4dsggh”
(24uppercase + 24lowercase + 10 numbers + 33punctuation)^15
71^15
5,873,205,959,385,493,353,867,330,551
6 x 10^27

Both are about equally unpleasant to memorise, but the former is massively, massively harder to crack. Susceptible to brute-forcing of variations on known phrases, sure. But throw in a few punctuation characters or numbers, use a random but memorable english phrase, and what you have is infeasible to crack, but sufficiently memorable that it is less likely to be written down:

Oscelots! Nesst in 43 treez”

- Farrier.

»

Similar entries

  • Domain Registration Agreement

    Exhibit A

  • Scott MacNealy gets a clue

    Scott McNealy, boss of mega-corporation Sun Microsystems and onetime nemesis of Bill Gates and Microsoft is well-renowned for having said “You have no privacy! Get over it!” This seemed not to bother him or his company very much until recently when he made an amazing about face on the issue.

  • Blue Chip websites, done the Right Way.

    After I graduated, I worked on a hotel site for a certain large three letter US news company. Now, back in those days, a website was just seen as an extension to brochure advertising. And for the majority, nothing has really changed in the intervening decade.

    One of the first things I’ve noticed is that when working for a Blue Chip, there is a very strong disincentive against doing things the Right Way. This is because the clients will ask for what they think they want. This is usually not what they really want, and is pretty much always miles away from what they need.

  • MorganAlley, Ltd privacy policies

    MorganAlley.com, part of MorganAlley Limited, is committed to protecting the privacy of its users. The following synopsises our privacy and data protection policy:

    1. We will not sell your details to any other organisation.
    2. We will not provide your details to other organisations unless required to in order to deliver services or as demanded by legal order by a duly consitituted court of law, or other statutory bodies, having demonstrated proper due process and legal subpoenae.
  • Normal Service Resumed

Find Us On...

Find The MorganAlley Websmiths on TwitterFind The MorganAlley Websmiths on FacebookFind The MorganAlley Websmiths on LinkedIn