Case insensitive passwords is entirely a business decision. Banking websites in particular have huge numbers of non tech savvy customers. When they forget their password or type it in incorrectly, they don't go to the password reset form, they call into customer support. This costs an enormous amount of money.

Banks figured the cost of reimbursing people if their account is compromised is lower than the cost of having to field all of those phone calls.

Source: Used to work at a bank.

Yeah, that makes sense.

Once after my account was stolen from, I did a careful look at the website and sent in a list of questions and complaints about their practices. After enough bugging, a person eventually called me. The bottom line was essentially that I shouldn't be concerned because I'm not responsible for fraudulent withdrawals. It wasn't very satisfying.

The thieves got away with around $2400.

Not true, they most likely convert all characters to a certain case before they hash it, so even if you entered PASSworD123 they convert to password123 and then hash.

I believe I read that Facebook stores a few commonly mistyped versions of everyone's password. Actual password, typed as if caps lock was on, things like that.

That's a good point. I'm pretty sure my bank is storing the password because they also limit it to some (small) number of characters. I'm guessing it's because the web interface is just passing it on to some ancient back-end system.

> I'm pretty sure my bank is storing the password because they also limit it to some (small) number of characters.

I love how it's always the banks with these ridiculous password practices. I'm really glad that it's not some site where the password is protecting important information.

That reduces password entropy and makes the hashes easier to crack.

I didn't say it's a good idea, it's awful, just pointing it out though.

Well, does it? Even if you crack it you don't have the correct casing. So you don't have the original password. Of course doesn't help if every other website converts to lower case too.

But if you use bcrypt you can partially compensate by using a higher work factor.

> Well, does it? Even if you crack it you don't have the correct casing.

The 'correct casing' is any member of the set of all permutations of cases. So you both do, don't, and do not care.

Sure, it's possible to do it that way. But if I were taking bets, I know where I'd put my money.

I've seen people write hash functions which change the input to all lower or upper case first. I think it's a pointless, stupid idea– maybe unless it's a VERY low-risk system for people with cognitive disabilities, kids or seniors– but not necessarily unhashed-password-level stupid.

facebook logins work this way (sort of). they account for flipped case (caps lock on) and for passwords that accidentally have the first letter capitalized.

I knew I was forgetting something!