Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Or just normalize the password by making the first character either lower- or uppercase both when checking and setting it.



It would be more complicated to do this once you stored millions of passwords.

So now you have to create 2 flows, those before the new policy and those that were set after the normalization.


If your storing millions of passwords surely a version field and an if statement is not going to be a huge concern


It is definitely more complicated than changing the case and running the hash again


is_password_valid = hash_password(normalize_password_case(password) if version == 1 else password) == hashed_password


Are we doing this client side or server side?

If you're actually using a 'strong enough' hash to prevent easy cracking if your hashed password database is leaked then you're doubling the server load which can be quite substantial in some cases.


It's only being hashed once...

And obviously this is server side


Why?


Because you are changing the daabase schema to introduce a stupid version field to store "normalized" passwords rather then just doing the check twice on mobile platforms.


Hashing takes a lot of CPU time. And btw you don't even need to change the database schema. You could encode the version in the password field itself. Django does this and it works great


The database would contain existing passwords without normalization. You also you have to hold the unnormalized password. Super silly to do that to save a few processor cycles on login.


It's amazing how much misinformation is in this thread. You should do further reading on password hashing and rethink whether you really have to store two different passwords...


Hashing one or two 10 char strings takes basically no time on even old mobile hardware.


Good password hash algorithms specifically are designed to take a while. They add latency to the subsequent page load when you click “submit”.


Not if you are using algorithms specifically designed to take a lot of CPU time, which is a best practice

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpubli...


Sounds like the requirement might be for the case insensitivity of the first character to only be for some platforms (eg mobile devices where autocapitalisation might have happened).

In that case this solution would have the disadvantage that it wouldn’t be platform specific.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: