Should passwords be compared culture specific or binary equal?

As everyone knows there are different ways to compare strings in unicode. One of them is culture specific. This is a well worked out topic in .Net, too.

I am currently in the place where I have to compare two passwords for equality and unequality. (No not to compare against the store - this is of couse done salted and hashed!) So this is for the change password dialog.

Question here: Should it be culture specific or agnostic (eg. in C# string.Compare() (==) or string.CompareOrdinal() ?

What are the implications?

Aparently hashing is culture agnostic (at least in .Net)?

Jon Skeet
people
quotationmark

It should match the equality that will be tested for the hashed version.

Basically, imagine that one of the passwords was stored, and you were trying to log in with the other - would it work? That's surely what you're trying to test.

I'd personally be tempted to simply hash them both with the exact same code that you're using elsewhere, and compare the results - that way you're guaranteed to be consistent with what you really care about.

people

See more on this question at Stackoverflow