They would only have to store a single hash - the proper password.
When you log in to Facebook, they hash the password you gave them and try that. If it fails, they modify the password you gave them, reversing the case on all letters (and possibly convert numbers to special characters, or vice versa - I don't know if they go that far), and hash that.
Remember that when you log in, the server is receiving your password in plain text. Facebook is just "massaging" that data a bit (possibly several times) to try to correct a user error, rather than just bailing at the first sign of trouble.
because as nostromo said then uppercase counts for nothing. Facebook only lets you log in if you accidentally use cap-lock or accidentally capitalize the first letter(quite common on phones). If you lowercased the whole password first, you reduce the benefit of having uppercase characters at all.
I think the point stands for the Blizzard case - there seems to be an assumption in some corners that the password is stored plain text, but I would imagine case neutralised (so to speak) passwords are hashed.
Exposing the timing here can only tell you one thing: the password that you're trying works for Facebook, but the capitalization might be wrong if you're using it to get into the user's account on another site. But since there are only three variants on the password, it gives you effectively nothing. This would be insanely difficult to pull off (many, many login samples) for absolutely no payoff; they might as well save the extra hashes if it works the first time.
Can you do a timing attack against something as fast as a case conversion and a hash function, even if it has a work factor? Normally they're done against database requests aren't they?
You can't do a timing attack against a password hashed serverside, since you don't control the string being compared enough to make iterated byte-at-a-time changes.
Even if I'm misunderstanding, though, this particular remote timing attack is probably not practical in most programming environments; (for instance) straight C memcmp is below the measurement floor, even with signal processing.
That is a great paper; also, check out Crosby and Wallach for the modernized, math-ier take; with signal processing, the measurement limits are nanoseconds on a switched LAN (ie, if you could get a box deployed in the same hosting center as Blizzard) and tens of milliseconds over the Internet:
There was a nice talk at 28c3 called "time is on my side" by Sebastian Schinzel, specifically about timing attacks over the net; it is pleasingly practical in its approach. He attacks the popular typo3 CMS.
I know you can do timing attacks through the network, it's not even that hard in the simple case.
That paper, like most papers on timing attacks, was done on the local network, not the internet. They're relying on absurdly precise measurements of absolutely tiny differences in timing, which would be lost in the jitter and latency of the real internet.
As I said, you can certainly do internet timing attacks where you're looking for database access, because this can take many milliseconds, which is a delay which can be detected even on a crappy internet link using a bit of light statistics.
Right; I guess my thought is that since a hash with a modest work function can also take many milliseconds, this would be meaningful. Not sure in practice, however.
An interesting demo: [1]
By not doing all 3 hashes, an attacker might realise that the password they sent passed, say, 2 checks, but not the third. This discloses information about the relationship between the password the attacker just tried and the correct password.
I see the problem in theory, but in reality, the time of a couple of hash functions compared to network latency and application server routing would be quite small. Can timing attacks actually work in such situations?
I was referring to Facebook with my comment, not Diablo 3.
Facebook massages the data to allow you to login even if you have caps lock on, so "pASSWORD" works when your password is "Password", or if, e.g., your phone capitalizes the first character in your password, so "Password" works when your password is "password".
Because this isn't how they do it. that method is the same as the Blizzard method, and it is a lot less secure than transforming the plain text and trying the three different combinations(normal, uppercase first and capslock password)
No, they only need to store a single hashed password. For authentication they can just try out the other 2 transformations above and see if any of them matches what's on file.
