Can websites tell if I'm using Caps Lock?

If my password on a website was MrShine999 but I kept entering mRsHINE999 due to accidentally leaving caps lock on, can the website tell the difference between me actually typing mRsHINE999 without caps lock and typing MrShine999 with caps lock?

No. The web site just sees the characters you send it. A capital “S” produced by holding the shift key is identical to the character produced when capslock is on.

Yes and no. Websites can absolutely detect capslock being on or off. A lot of account creation and login pages pages will pop up a warning box saying, essentially, “oops, caps lock is on, be careful when typing your password”.

However, they can’t match your password this way, since the password field is going to just send the characters you entered in a hashed state and match that against the hash they have stored. Technically they could “assume” you meant to do it without caps lock and do a character case inversion before hashing if you hit “submit” while caps lock is on, but making that sort of assumption about user input is usually frustrating and ill advised.

A solution a few places use, Blizzard being one, is to make passwords case insensitive by converting ALL letters to upper or lower case before hashing and sending it (presumably to cut down on “MY PASSWORD ISN’T WORKING WHY???” support tickets when it was just caps lock).

Yeah, let me qualify my answer. A “web site” can’t detect capslock but Javascript can. So if the website has a Javascript program running on your browser then it could.

Nitpick: The password field is going to send the password (hopefully encrypted), not the hash. If they sent the hash then that hash would essentially be the password. A hacker who gains access to the sites list of hashed passwords could spoof the password field by just sending the hashes they have stolen.

Unless you actually use the Caps Lock key frequently, you can easily disable it, or change it to a regular Shift key or Ctrl key. Just search for “Disable Caps Lock” to find it. It does involve editing in the Registry, but you can also download a script to do this automatically.

I did this years ago, converted it to be a regular (unlocked) Shift key, and have never regretted it.

I just pry off the cap lock key on my keyboards…I have found it much more a a nuance than and asset.

i JUST LEAVE MINE ON ALL THE TIME. i HAVEN’T HAD ANY ISSUES.

NOT A LOT OF NUANCE TO SHOUTING ALL THE TIME.

To answer the OP, most websites employ JavaScript to perform input validation. As part of the keypress event, one can query the capslock state:


function (event) {   
    if (event.getModifierState("CapsLock")) { ... do something else

Ah

In fairness, I don’t do web dev so I’m not familiar with the finer details. I thought they hashed before sending, and the encryption was naturally handled by something like https.

And this is why I will never roll my own crypto :stuck_out_tongue:

I don’t know anything about web programming either, but ISTM that- in principle- a password authentication could be carried out using a socialist millionaires’ protocol so that nothing unencrypted is ever sent. In practice https using TLS with perfect forward secrecy should realize this style of secure communication; storing only salted hashed passwords on the server is protection against when the database inevitably gets hacked or stolen.