Passwords should not be cast to lower case #1180
Comments
|
Normally I'd agree with you, but in the case of private servers I think case-insensitive passwords are the least of your concerns. 2004Scape allows passwords up to 20 characters, which isn't feasible to brute-force over the network (hopefully some kind of rate-limiting is in place, though I haven't checked) even with only lowercase letters and numbers.
I have to acknowledge that dictionary attacks will be far faster. I'm not suggesting that If the database is breached, it's a different story. Don't reuse username/password combinations across multiple services - that never ends well. While RuneScape itself doesn't support pasting passwords (RuneLite has implemented this feature but it's never been vanilla) some password managers support autotyping your details. |
The login logic casts passwords to lower case when creating the user and when checking for password validity.
https://github.com/2004Scape/Server/blob/main/src/server/login/LoginServer.ts#L54
I know this was used in runescape, but this is a serious security violation.
Is there any reason not to change this?
The text was updated successfully, but these errors were encountered: