Just tried with mine

not good

@hio77 this needs looked at ASAP

While perhaps not best practice, I wouldn't consider this a security flaw per se. I'm sure there is a good reason why it is configured this way.

Jase2985:

 

hio77 this needs looked at ASAP

 

Heya,

I've passed this onto the relevant team to investigate.

This presumably means that they are not hashing passwords which is not a good sign.

boosacnoodle:

 

This presumably means that they are not hashing passwords which is not a good sign.

 

Normalisation may be occurring before hashing.

It's not case sensitive on Yahoo either.

Yesterday I checked and sure enough my xtra mail will log in using 

my password in just lower case. Sooo I contacted spark by typing

to the robot and after about 15 minutes playing ring a ring a rosie

I was typing to a human and 3o  minutes later and much hair pulling

the penny dropped and I was told it should not do that and that the

problem would be escalated to the great unwashed.

I wait with no expectation of an outcome as it would appear that such

a security flaw is nothing to really worry about

Since this thread came across my desk, this has been actively been worked on.

I don't have an update i can provide here at this stage, but I'll simply confirm Yes it has already been esclated and is with the right folk.

The ASB fastnet classic login webpage has the same issue.

TheMaskedOnion:

 

The ASB fastnet classic login webpage has the same issue.

 

Had, don't you mean?

Pretty sure they changed that a few years ago when it was last bought up here in GZ.

I just tried with an old login, and changed one character from upper to lower case and the login failed as expected. Worked fine with the proper case.

Mine isn't case sensitive, maybe i just need to change it.

EDIT: yup, just needed to change my password and now it's case sensitive.

On its own, is this actually much of an issue?

While case insensitive passwords certainly aren't best practice, if other techniques are used such as salting, hashing, and stretching, and forced password resets following multiple incorrect attempts within a given timeframe, then the increased risk by having case-insensitive passwords probably isn't that great.

What I'd be more concerned about is given that they use case insensitive passwords, what's the likelihood they also don't implement the other techniques for keeping my password safe, or that it's stored in plain text? That we will likely never know.

I would have thought that there's a better return on effort spent encouraging friends and family to use a password of sufficient length that includes special characters; ideally using a password manager to generate a random password, and not reusing your email password anywhere else than there is worrying about case sensitivity.

TheMaskedOnion:

 

Mine isn't case sensitive, maybe i just need to change it.

 

 

 

EDIT: yup, just needed to change my password and now it's case sensitive.

 

Ah yep, I did change my password when it was announced they were now case sensitive and longer than whatever the old limit was

Was awhile ago, I'm with a different bank now