Passwords should not be cast to lower case

[nacorid]

The login logic casts passwords to lower case when creating the user and when checking for password validity.
https://github.com/2004Scape/Server/blob/main/src/server/login/LoginServer.ts#L54
I know this was used in runescape, but this is a serious security violation.

Is there any reason not to change this?

[Frosty-J]

Normally I'd agree with you, but in the case of private servers I think case-insensitive passwords are the least of your concerns. 2004Scape allows passwords up to 20 characters, which isn't feasible to brute-force over the network (hopefully some kind of rate-limiting is in place, though I haven't checked) even with only lowercase letters and numbers.

Length	Possible Combinations
5	60,466,176
8	2,821,109,907,456
12	4,738,381,338,321,616,896
16	7,958,661,109,946,400,884,391,936
20	13,367,494,538,843,734,067,838,845,976,576

I have to acknowledge that dictionary attacks will be far faster. I'm not suggesting that monkey is a difficult password to crack.

If the database is breached, it's a different story. Don't reuse username/password combinations across multiple services - that never ends well. While RuneScape itself doesn't support pasting passwords (RuneLite has implemented this feature but it's never been vanilla) some password managers support autotyping your details.

[Devenir377]

Could allow the use of password managers in downloadable client. Limit pasting to title screen only.

[Katilith]

iirc it is period-accurate that they're cast to lowercase, as well

[nacorid]

iirc it is period-accurate that they're cast to lowercase, as well

It is, but back in the days passwords weren't hashed, before saving them in the database, and everyone would agree, that that is bad as well.
I strongly believe period-accuracy should not go above security.

Especially for something that can be fixed as easily as this.

[Frosty-J]

Any hashing or lack thereof is an implementation detail that has no bearing on the end user's experience. Passwords being case-insensitive, while I'm not happy about Jagex's lack of communication regarding this fact, is a design decision*. For example, Facebook accepts passwords in reversed case (e.g. Caps Lock) and with the first letter capitalised (due to mobile auto-capitalisation, though I don't know on what device this was ever an issue).

If it is decided that this should be changed, we're also in the same pickle Jagex was, where changing it would affect users. Removing the lowercase conversion during login could prevent anyone used to using mixed case from being able to log in (remember it was converted to lower at point of registration) and not all accounts have an email address linked for recovery. But this is young enough that I guess putting a banner up about the change (like the ones about multilogging and world hopping) would catch most active users.

*On second thought, did Jagex reuse their base37 system for passwords? It would seem a little desperate to do so, but could make sense given all the optimisations RuneScape used to have.

[2mac]

For going forward without interfering with existing users, you could just add a flag in the database which marks the password as being lowercased, and unset the flag when the password is changed. Or hash the password both ways and see if one of them matches. There's probably an even better solution I'm not thinking of immediately, but my point is that there are ways to solve the problem without locking people out of their existing accounts.

[HoofedEar]

iirc it is period-accurate that they're cast to lowercase, as well

It's also literally what Jagex uses, right now, for Old School RuneScape
https://oldschool.runescape.wiki/w/Password

Passwords are not case sensitive in OSRS, and they are cast to lowercase.

Edit: Corrected, see below

[Frosty-J]

Yes and no. Accounts with the old account system are case-insensitive. Jagex Accounts are case-sensitive and all new players have been forced into this system for over a year at this point.

[DelashmitYT]

"Passwords being case-insensitive, while I'm not happy about Jagex's lack of communication regarding this fact, is a design decision*."

Couldn't the same be said here? Feels like an odd design decision to maintain historical authenticity for passwords while also acknowledging the existence of Jagex Accounts with their improved security.

I strongly believe period-accuracy should not go above security.

Can't agree with this more. I genuinely hope this gets reconsidered, even if the oldheads aren't used to mixed case.

[KeepBotting]

Jagex accounts did not exist before 2023, they are only relevant to OSRS and RS3, not RS2

[DelashmitYT]

Jagex accounts did not exist before 2023, they are only relevant to OSRS and RS3, not RS2

I still don't understand why that is an excuse to not have improved security.

[mark-b5]

I still don't understand why that is an excuse to not have improved security.

Okay

[zeruth]

Jagex accounts did not exist before 2023, they are only relevant to OSRS and RS3, not RS2

I still don't understand why that is an excuse to not have improved security.

Quite simply it isn't. But you have a huge group of people who will scream authenticity any chance they can.

unless....

Game breaking bug? we'll fix that.
Cheaters? we'll rework protocol
Client? port it to TS, and use that

Case sensitive passwords? ILLEGAL.

[zeruth]

And one further comment, 2fa has been in the works for a while, in-fact the db schema was recently merged at #1519

I think that is a pretty damn fair solution that is even better than case sensitivity. 🥂