Security and privacy

Make username and password case insensitive

Picture of David Mudrák
Re: Make username and password case insensitive
Core developersDocumentation writersMoodle HQParticularly helpful MoodlersPlugin developersPlugins guardiansTestersTranslators

Well, I must say I personally consider that a bad idea. Having the password case insensitive goes completely against the whole idea of password authentication. Good practise is on contrary to allow (and actually use) as many character types as possible. Any limitation put on accepted characters in the password significantly degrades the potential strength of the password. That is why security experts recommend to use a passphrase instead of a single password (that is, use multiple words separated by spaces, for example), mix letter case and use non-alphabetical characters. All these help to prevent from guessing the password. Any operation (such as changing the case, trimming the trailing whitespace etc) just makes the passwords weaker - for no good reason.

I do understand why the letter case in usernames should be ignored. But for passwords, I would definitely discourage from doing that.

Average of ratings: Useful (1)
Picture of Petr Skoda
Re: Make username and password case insensitive
Core developersDocumentation writersPlugin developers
Oh, I was talking only about the handling of usernames - now everything is forced to be lowercase which breaks in multiple use cases and auth plugins which in turns prevents proper implementation of case insensitive usernames. Some time ago I proposed a patch for login via email which could be done at the same time.

I agree that passwords must not be weakened. There are some sites that do inverted case and first capital letter to work around user frustration with capslocs and automatic first capital, the only question is do we want yet another setting in admin UI?
Average of ratings: -