0

I'm trying to find on the Internet some manual, guide or policy secure about

applications should not convert lower string to upper string to store as password

I mean, don't make "testpassword123" into this "TESTPASSWORD123".

I have read a lot of recommendations, but I need some explicit documment that tells we "you should not upper the string when saving it as a password", explicit as that.

Thanks a lot by the help until now.

Felipe M
  • 109
  • 4
  • I can't see any logic here, its nothing more than an illogical crap in my opinion. – Batuhan Mar 30 '15 at 13:02
  • @Batuhan I already saw many applications doing that, I mean, converting lower cases caracters to upper before saving on database. I'm going to write a guideline about safe passwords and need some documentations, manuals, etc., exactly telling that it's not safe upper the caracters. – Felipe M Mar 30 '15 at 13:09
  • 1
    You could just point to any passwort policy which demands mixed case. That it is pointless to demand mixed case when you then throw it away on the backend should be obvious to anyone. Another pitfall is that upper-casing some more exotic unicode characters is non-trivial and often done inconsistently even by common libraries, which can lead to ambiguity. – Philipp Mar 30 '15 at 13:13
  • @Philipp I found a lot of password policy, but they just tell us recommendations. I'm looking for rules, not guidelines. Some web post, anything, that tells "don't upper the string before save". I found this: http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf page 3-8, but it's not "DON'T DO THAT" exactly. – Felipe M Mar 30 '15 at 13:21
  • @FelipeM What is the exact difference between "rules" and "recommendations" in your opinion? Any offical "Rule" only applies to a specific organization which is subject to that set of rules, so for everyone else they are just recommendations at best and completely irrelevant at worst. – Philipp Mar 30 '15 at 13:24
  • Well, a safe password must contains uppercase & lowercase letters, symbols and numbers. Saving them as uppercase breaks that rule. You can find that safe password rule everywhere and you can use it as "don't uppercase before saving" rule because this action will break complexity rule. – Batuhan Mar 30 '15 at 13:28
  • In what way does conversion to all-uppercase *not* violate the recommendation mixed-case passwords be allowed? Such a to-uppercase practice is incompatible with mixed-case passwords (since no password, as your application understands passwords, could ever have a lowercase letter). – apsillers Mar 30 '15 at 13:31
  • @Philipp I agree about that, maybe there isn't a "rule" about don't upper all the string. I'm going to edit my question asking, then, the explicit recomendation to not upper the string when it's a password because safe reasons. – Felipe M Mar 30 '15 at 13:35
  • @Batuhan yes... but I need find somewhere some doc that says "don't upper all the string". For example, MS says ( https://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx ) that the password must contain characters from three of five categories: upper, lower, Nonalphanumeric, number and unicode. If I upper the string, I still have possibilities. Agree? – Felipe M Mar 30 '15 at 13:38
  • This question is essentially a subset of a previous question: [Why do some websites and programs restrict password characteristics?](http://security.stackexchange.com/q/1534/12) Though the implementation is different, functionally it's the same...The developers are preventing users from using lowercase letters in their passwords, and the answers explain why this is bad, particularly the ["Bottom Line" section of D.W.'s answer](http://security.stackexchange.com/a/1546/12). – Xander Mar 30 '15 at 14:08
  • @Xander "I'm sure", "I think", "I guess", etc.. I need some doc that says "don't upper your string when you're going to save it as a password", explicit as this. – Felipe M Mar 30 '15 at 14:14
  • @FelipeM you can't find something like that, because strength password rules are clear. They say use both upper and lowercase letters. If you agree with that, there is no need for "don't uppercase" rule. This question is not frequently asking one, so I don't see a reason for special explanation. Your guideline will be fine without that exception, don't worry. – Batuhan Mar 30 '15 at 14:30
  • @Batuhan No, Batuhan, they say "you can use...". For example, MS says ( technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx ) that the password must contain characters from three of five categories: upper, lower, Nonalphanumeric, number and unicode. If I upper the string, I still have a strong password. That's the (bad) point. Help me, please :( – Felipe M Mar 30 '15 at 14:33
  • @FelipeM Your requirement is too specific. While it's possible something so specific may exist, you are going to expend a great deal of time and energy trying to find it, and there's no guarantee that you will. If you want a document *that* specific, I suggest you write it. – Xander Mar 30 '15 at 14:37
  • @FelipeM When you uppercase a string, you destroy all lowercase letters. See GZBK's answer below, its strength will decrease and it will become more vulnerable against bruteforce or dictionary attacks and loose user's characteristic (http://imgur.com/a/NzABs). Passwords shouldn't be modified without users knowledge. – Batuhan Mar 30 '15 at 14:42
  • @Batuhan I know, I agree. That's the reason why I look for some material that tells "don't upper all, preserve the lower and upper"... But I din't find yet. Just some material saying "you can do that, you can do that"... – Felipe M Mar 30 '15 at 18:06
  • @FelipeM Stop searching, you can't find a material saying like this. As I say this is not a common practice, no one write something about that obvious. Why don't be the first? – Batuhan Mar 30 '15 at 18:15
  • @Batuhan take a look at this: http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf (Page 3-8), starting at "Some password mechanisms have more limited character"... See? There is something, just need more of this, friend. Never saw something like this? I know that's obvious, but I need paper, doc telling it! – Felipe M Mar 30 '15 at 18:47

2 Answers2

2

I also could not find any password storage policies that mention that passwords should not be upper-cased. But I also didn't find any guides which told me not to set every password to "password", not to remove all special characters, or not to shorten them to 4 characters. It's just obvious.

You should not change the password that the user supplied. This can lead to unreasonably weak passwords (without the users knowledge!), and to compatibility issues later on (the user will always type in their password the way they set it, so each login/verification mechanism needs to perform the password transformation on each login).

If you can't deal with some special characters, report this back to the user that submitted them, do not silently change the supplied password.

tim
  • 29,122
  • 7
  • 96
  • 120
  • That's exactly what I need and didn't find yet. Some material that says "don't upper your string when saving it as a password". Like I commented before, MS says ( technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx ) that the password must contain characters from three of five categories: upper, lower, Nonalphanumeric, number and unicode. If I upper the string, I still have possibilities. Right? – Felipe M Mar 30 '15 at 13:57
1

An historical example of such a poor algorithm is Microsoft's LM hash.

As you said Felipe, in order to create a strong password, you need among other things to mix uppercase and lower case letters. Why? Because by doing so there can be 52 different possible letters constituting each character of the password: 26 lowercase + 26 uppercase.

By converting the string to uppercase, you weaken the password since there will be now only 26 different possible letters constituting each character, not 56, which will make the password by far more easy to guess. In other words, you're helping hackers to penetrate the system because they will not have to bother with case issue since "secret", "Secret", "SecReT" and "SECRET" will all match the very same password and open the same access.

WhiteWinterWolf
  • 19,142
  • 4
  • 59
  • 107
  • Yes, but... where, in a oficial doc, from some company for example, I can read this? I can read "don't upper the string for passwords"? – Felipe M Mar 30 '15 at 14:16
  • 2
    There is no official doc stating this, because everyone is free to handle his company how he wants: there is no law forbidding the use of weak authentication scheme, and as long as you do not need some certification there is no compliance to abide by. However, since as a company holder you may be fully responsible of damages caused to your customers and partners by your own carelessness, you may want to apply the best practices in order to reduce all risks to the minimum and to, would the worse happen, be able prove to others that you took all appropriate measures and are not responsible. – WhiteWinterWolf Mar 30 '15 at 15:11
  • 2
    @FelipeM By changing a password to upper, you *fundamentally change the password*. There is not going to be a doc that says not to do this. By switching to upper(), you might as well change "testpassword123" and every other submitted password into "password" and there won't be a doc that tell you not to do that, either. Sure, the practical reason is about reducing complexity, but the basic principle is to not change the password submitted. The reasons why are inherently obvious. – schroeder Mar 30 '15 at 20:09