stainer wrote on May 24
th, 2012 at 10:35am:
Only if you are just using letters, have a short password, and use something that a dictionary attack would grab. It is 2012... people should know password security.
3445kardo11*! is a good password.
orange or ORANGE or oRanGe are all terribad passwords.
If you read the D3 forums it sounds like the people getting hacked are going to phishing sites, or are downloading trainers/cheats (as if the fucking game is to fucking hard).
I am serious there isn't a "hacking" problem. There is a "stupid user" problem.
There's always a stupid user problem. That's eternal. I guarantee that some people who would never use a special character in a password will actually use capital letters, just because it's easy and they already use them all the time. I'm having a hard time figuring out a legitimate technical reason there might be for making passwords case insensitive. It seems to just make the system less secure while providing no benefit.
And with password crackers, there is a real difference between the inclusion or exclusion of capitol letters. Assuming 26 letters, 10 digits, and no special characters, for an 8-character password:
Not case sensitive = 36! / (36 - 8)! = 36! / 28! = 1,220,096,908,800 = 1.22 x 10^12
Case sensitive = 62! / (62 - 8)! = 62! / 54! = 136,325,893,334,400 = 1.36 x 10^14
That's a difference of two orders of magnitude. That means that a password cracker that could crack your "good" case-insensitive password in 4 hours would need 400 hours to crack your good case-sensitive password. That's a big deal.
Edited: I agree with your point, though, about phishing vs. cracking. It sounds like this particular scenario is more a matter of cracking the user, not the password.