For about the last week while I have been able to login to Citi's website to access my account, once I actually tried to get the details for the account I was redirected to a page indicating that there was a temporary problem and that I should try again later. Finally today I gave them a call.<p>Their first suggestion surprised me: I had used punctuation symbols in my password and I was told that while this had worked for years, only letters and numbers are allowed in passwords now. So I reset my password as directed and used only letters and numbers. The problem persisted. I was then asked if I had used upper case letters. I admitted that I had used a combination of numbers, upper case, and lower case letters. At this point I was rolling my eyes but was going to go ahead and reset my password again. But I was told that in fact there was no need to reset my password, simply use the same password but wherever I had specified an upper case letter, use the lower case version.<p>And this worked. Despite the fact that I had specified my password with a mix of upper and lower case I can login either with the mix of upper and lower case or with every letter in lower case.<p>Are there hash algorithms which are upper and lower case agnostic? Or should I assume that they store a hash of both the original password form and a lower cased version?<p>The story goes on but the verdict finally was that Chromium on Linux is not acceptable, but IE 11 on Windows 7 is, and I was finally able to download my most recent statement. I guess it's a good thing that I like to play computer games and so keep a Windows installation handy.
Don't try to overthink it. The sad truth is that password management is a total boondoggle, especially for banks. This is due to a huge body of superstition and cargo-cult policies on how to do it, how everyone else is doing it, and how the mess of regulations concerning password/credit card info tell you to do it.<p>There are of course best practices concerning how to correctly, securely, and safely manage passwords, but these pale in comparison to all the "common knowledge" about proper "password rules" and "encryption methods" out there.<p>Many banks will limit password length, limit your character set, forbid non-alphanumerics, auto-lowercase, choose an obvious login for you, limit you to easily-google-able "secret" questions, and prevent you from pasting in a password from a password manager app, and do other things that limit your ability to choose secure credentials. These days you are lucky if your bank lets you actually choose a password instead of just assigning you an unchangeable 4-digit numeric PIN!
I have to assume that the tech support person's idea that my problem was related to my password (punctuation characters, upper case letters) was nothing more than technical superstition. I'm often surprised how often I seem to run into what I can only consider superstition when talking to first level technical support personnel.
> Are there hash algorithms which are upper and lower case agnostic? Or should I assume that they store a hash of both the original password form and a lower cased version?<p>The hash may not be case insensitive, but I've seen plenty of code in and around password handling code that forces all letters to be lower/upper case prior to hashing.<p>(There's rarely ever any explanation as to why, nor anyone still around who admits to writing that code.)
I consistently find myself in similar situations. I've found some sites drop characters after a certain limit. Some sites only allowing numbers and letters.<p>It's truly maddening that these people are just awful. I wish there were a way to get them to change their rules.