Put me in as a nut job then. I've seen plenty of users who make no distinction whatsoever re case of characters in passwords. One day their password is working, the next day it isn't, and the organization ends up spending the custom care money to deal with it just because they started typing "af" at the end of their password instead of "Af" or whatever.

If you need more complexity in a password, better to just encourage them to use a phrase with the words being the individual complexity rather than the characters. Like it or not, we live in a world where 80% of end users can't turn their wifi radio on and off on their phone, and we need to make systems that are a pleasure to use for them.

Condescension about idiot users is never a very persuasive way to make a point.

> we live in a world where 80% of end users can't turn their wifi radio on and off on their phone

But they still manage to properly enter their case-sensitive password to buy new apps.

> But they still manage to properly enter their case-sensitive password to buy new apps.

Because they never use uppercase in their case-sensitive passwords.

This attitude makes me very angry.

Even if 80% of users don't use capitals in their passwords, the 20% who want that added security don't get it. Even if you believe this made-up statistic due to your condescending attitude towards "normal" users, the password should be case sensitive.

A (very stupid) alternative would be to notify the users that their password isn't case sensitive so that those who mind can use a more secure password.

The argument that "most" users won't be affected is absolutely negated by the fact that some are.

Your anger is based on theory, not practice.

Blizzard takes a lot of steps to ensure your password can't be bruteforced. Even with the (imho unnecessary) limit of 16 chars on the password, you can have all the security you could need, and then some. On top of that, you can get two-factor auth for free in most cases. The "added security" that those people want is in practice not significant at all, and Blizzard had other priorities driving their choices.

If I had to make an auth system I'd probably still opt for case sensitivity, no length limits, and other such best crypto practices, simply because that's the path of least resistance. But my biggest security concerns would be elsewhere.

If you care about the security of your account at all, you should be using an authenticator, and even with a poor password proper two-factor authentication is far more secure than even the best password.

"Average" users have been taught to use strong passwords for a long time now.

Why is it worse to uppercase the password before hashing for people who use the same password on multiple sites? It doesn't matter if it is a 24 character password using every character set possible, if it is the same password they use somewhere else, and that place is compromised, the attacker will be able to use that password to login to the Battle.net account.

The reason is because lowering the entropy of the password makes the blizzard version easier to crack. If blizzard is compromised, the passwords won't be disclosed - just the hashes will be, so re-use isn't immediately an issue. It becomes an issue when the hash is cracked and the attacker can now see which password is being reused, and then reuse it. Of course if the reused password is something like "hunter2", the cracked version will look like "HUNTER2", but the original case can be guessed in a few tries once the case-insensitive version is discovered.

Very roughly, case sensitivity provides about a half bit of entropy. For reference, one bit of entropy takes twice as long to crack.

And say what you want about password reuse, but 99% of users re-use passwords at least somewhat, so site owners have an obligation to protect user passwords.

And the random salt used for hashes, and the minimum length of 8 for your password, all but eliminates their database compromise as being a plausible vector of attack.

Plus, caps doesn't add that many bits of entropy, when used as people use it (first letter, alternating letters, etc).

Seems to be a spreading practice for services with huge userbases; Facebook does it: http://www.zdnet.com/blog/facebook/facebook-passwords-are-no...

Facebook does something different. They accept two extra variants of the password (first letter capitalized and case reversed). They don't uppercase the password before hashing or checking. This reduces the security slightly as opposed to uppercasing passwords which reduces the search space significantly.

facebook does a different thing. It does not allow any casing(sp?). It allows only the right and the reverse and first letter in uppercase.

Blizzard seems to uppercase the given password and hashes that. This method makes a lot of wrong passwords work. In facebooks case only two more passwords than the original are accepted.

Er, wow. That's horrendous. How in the world can they still blame the first Diablo when they made such a big deal about "Battle.net 2.0" recently? Why do they need to lump the new stuff together with legacy systems using broken security practices?

Most likely because the authentication codebase started with Starcraft, was integrated with Diablo 2, then was basically ported to WoW.

After that, WoW's system was basically integrated into the current Battle.net 2.0 system.

If they ever compromise the bnet database of hashed passwords though it may be a benefit, as the password they re-use may contain uppercase and lowercase letters, which the bnet database has no way of representing.

If the passwords are stored using proper key stretching techniques and salting, they don't need to have much entropy to withstand brute-forcing. It's not necessarily a problem that lowercase letters do not contribute. However, it is a completely unnecessary lowering of entropy.

My lesson from this is: it always pays to think about and understand even the seemingly most trivial decision. You may be stuck with it for decades.

He's actually wrong. Starcraft introduced usernames/passwords and unique names to Battle.net in early 1998. The support was then patched into Diablo 1.05. Diablo I's Battle.net functionality did not originally include usernames/passwords at all.

It was quite a strange little architecture, initially. Your displayed name was whatever you'd named your character, with the distinguishing feature being an "account number" that could be re-generated by deleting a file in your Diablo directory (the corollary being if you didn't back the file up, your account number would change upon a reformat or migration to a new computer).

Ultra minor nit-pick, but your account number was stored in a registry entry (HKEY_LOCAL_MACHINE\SOFTWARE\Battle.net\Configuration), not a file.

The account number consisted of four parts:

  Registration Version: This was always 1 for all the account numbers that I still have lying around.
  Registration Authority: I don't actually remember what this was used for.
  Client ID: The actual account number.
  Client Token: Random number used to verify the validity of the Client ID.

Or you used a tool to change your account to 1537 and nobody could ever find you because hundreds, if not thousands, of people all used that same shared account.