Make username and password case insensitive

Re: Make username and password case insensitive

by David Mudrák -
Number of replies: 1
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators

Well, I must say I personally consider that a bad idea. Having the password case insensitive goes completely against the whole idea of password authentication. Good practise is on contrary to allow (and actually use) as many character types as possible. Any limitation put on accepted characters in the password significantly degrades the potential strength of the password. That is why security experts recommend to use a passphrase instead of a single password (that is, use multiple words separated by spaces, for example), mix letter case and use non-alphabetical characters. All these help to prevent from guessing the password. Any operation (such as changing the case, trimming the trailing whitespace etc) just makes the passwords weaker - for no good reason.

I do understand why the letter case in usernames should be ignored. But for passwords, I would definitely discourage from doing that.

Average of ratings: Useful (1)
In reply to David Mudrák

Re: Make username and password case insensitive

by Petr Skoda -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
Oh, I was talking only about the handling of usernames - now everything is forced to be lowercase which breaks in multiple use cases and auth plugins which in turns prevents proper implementation of case insensitive usernames. Some time ago I proposed a patch for login via email which could be done at the same time.

I agree that passwords must not be weakened. There are some sites that do inverted case and first capital letter to work around user frustration with capslocs and automatic first capital, the only question is do we want yet another setting in admin UI?
Average of ratings: -