2018-01-05 - Re: [GRASE-Hotspot] NOT CASE SENSITIVE LOGIN CREDENTIALS

Header Data

From: Gerard Pacete <ge***1@gmail.com>
Message Hash: 10a250e6a7b4552da41dadcdda4aff355dc018c1f4cb4fc7c81c5aa13959adc1
Message ID: <63a94208-9021-485f-b696-37707962dcd7@grasehotspot.org>
Reply To: <CAESLx0LZHYaSHodcSvTj=X_OhcFUameMWu57pfEioA=ZL=2YpA@mail.gmail.com>
UTC Datetime: 2018-01-05 19:22:38 UTC
Raw Date: Fri, 05 Jan 2018 18:22:38 -0800

Raw message 

Hi Tim,

Some or most of our users are actually not techy and to mention also that 
about 30% of personnel are aged 50++ that's why most of our systems are 
adjusted to be more efficient although they are considered running "less 
secured".

I can make the passwords to lowercase/uppercase on DB side. Im still trying 
to dig deeper on uam and radmin JS files to locate where i can modify to 
ensure conversion of password to specific case before doing authentication. 
Honestly, im not so good yet on http docs including on JS that's why i 
found it quite hard to modify something.. xD

Thanks by the way,
Gerard

On Friday, January 5, 2018 at 2:33:31 AM UTC-8, timwhite88 wrote:
>
> Hi Gerard 
>
> Due to how CHAP auth works, you need to modify the databases to all be 
> stored in a consistent case (i.e. lower case), and then in the JS 
> ensure that you lowercase the password before doing CHAP auth on it. 
>
> By default, the generated passwords should be lower case, are you 
> having particular issues with the case sensitivity? Forcing things to 
> be case insensitive is technically reducing the security of the 
> system. 
>
> Regards 
>
> Tim 
>

Thread