Having a theorhetical question at work regarding the case sensitivity of userIDs. While we've seen a percieved standard of making these non-case sensitive are there any written standards for internet usage regarding userIDs and passwords? Perhaps a best-practice for this type of information?

2/24/2007 11:02:18 AM

there aren't really any standards for this sort of thing, but a lack of case-sensitivity is usually more of a matter of convenience for an end user.

generally, case-sensitivity means more possible permutations, which can mean greater security. brute-force attempts can still crack any password, eventually, but case-sensitivity increases the number of possible combinations greatly.

2/24/2007 12:52:44 PM

I understand - those are all my arguments against moving one of our applications at work in case insensitive. It's all coming down to security vs. convenience, which is why I was looking for some type of standard to back up my desire of case sensitivity.

2/24/2007 2:26:37 PM

make it case-sensitive and tell everyone to get the sand out of their vagina

[Edited on February 24, 2007 at 2:36 PM. Reason : it != is 

2/24/2007 2:30:37 PM

I'd say the big questions for this kind of thing are:

1) Do the users get to chose their own ID's?
2) Will the ID's be used for contact purposes?
3) If 1 is yes, would there be checks to keep someone from creating JohnDoe and Johndoe."

If the users get to create their own ID's you could have issues with people creating similar ID's for fraudulent purposes. You could solve this with a program that treats ID's as case sensitive for login purposes but not for determining uniqueness. If the user's aren't allowed to chose their own ID's then you run into the issue that what would be capitilized would be obvious and pre-determined in most cases. If the ID's are created from first+last name (like unity ID) this really wouldn't add any additional security since people could easily figure out ID's.

If the ID's are used for contact purposes (like a screen name or email adress) it would be fine to make the login case sensitive, but whatever program you use to rout communications, identify accounts, and check for uniqueness of names should treat both cases the same. You don't want something like email adresses to be case sensitive if you can help it, because people will fuck up a lot.

Passwords should always be case sensitive. There's no real downside to using case sensitive passwords especially if they get to chose their own. It's more important to require passwords be at least a certain length, contain letters and numbers (and symbols if you want to be really paranoid), and not have any common names or birthdates.

Why is anyone arguing for things not being case-sensitive?

2/24/2007 2:40:19 PM