0

As everyone knows there are different ways to compare strings in unicode. One of them is culture specific. This is a well worked out topic in .Net, too.

I am currently in the place where I have to compare two passwords for equality and unequality. (No not to compare against the store - this is of couse done salted and hashed!) So this is for the change password dialog.

Question here: Should it be culture specific or agnostic (eg. in C# string.Compare() (==) or string.CompareOrdinal() ?

What are the implications?

Aparently hashing is culture agnostic (at least in .Net)?

Robetto
  • 739
  • 7
  • 20

2 Answers2

3

It should match the equality that will be tested for the hashed version.

Basically, imagine that one of the passwords was stored, and you were trying to log in with the other - would it work? That's surely what you're trying to test.

I'd personally be tempted to simply hash them both with the exact same code that you're using elsewhere, and compare the results - that way you're guaranteed to be consistent with what you really care about.

Jon Skeet
  • 1,421,763
  • 867
  • 9,128
  • 9,194
  • Thanks, this approach seems to me very reasonable, since it is essential what will happen if the user acutally logs in, next time. – Robetto Jan 23 '15 at 12:14
  • I have to come back to this another time but in a slightly different way. You said it ought to be compared only the hashed version. But still, there could be something like a unicode normalization bevorhand. So that two basically different strings become the same password. So for example think of apostrophs. Unicde compares [`][a] equal to [à], ordinal compare would fail. So how would you do this with hashing? Unicode normalization? Is Normalization culture specific like coallition? Too many questions. Just force the user to use the same way to enter the PW+same Keyboard. – Robetto Jan 23 '15 at 13:56
  • @Robetto: That's a decision for you to make, really. You could normalize or not. I *probably* wouldn't normalize, but there are probably arguments both ways. (Imagine if two different OSes provided different input for the same keystroke...) – Jon Skeet Jan 23 '15 at 14:06
0

You specified for the change password dialog, so I'll address that.

Since the only purpose for their entering a password in the change password dialog is for that password to be salted and hashed with sufficient rounds of BCrypt, SCrypt, or PBKDF2, and since all three of those use primitives that operate on bytes or sets of bytes (i.e. they work on ones and zeroes), then the passwords are only the same if their bits are the same.

Thus, you must use binary equality.

On a more practical note, since they just typed it in twice back to back, you should expect and enforce that they type it exactly the same way each time!

Yes, hashing is culture agnostic, because hashing operates on bits and bytes, NOT on symbols or meanings or even characters as such.

Anti-weakpasswords
  • 2,604
  • 20
  • 25