My Samsung SSD password is case insensitive, how does this affect Full Disk Encryption?

Question

I have a Samsung Evo 850 SSD, the 500GB model and it's supposed to benefit from Full Disk Encryption (FDE). Once you set a HDD password in the BIOS the FDE is supposed to kick in.

However, I was surprised to discover that the password for my HDD is case insensitive.
I am aware that the hardware encryption employed by the SSD is pretty much a black box and cannot be reviewed.
It's also pretty obvious that the password complexity is dramatically reduced because of this feature.

Is it common for drive-based FDE to use case insensitive passwords? Is there any reason why this must be done (eg: compatability with pre-UEFI systems)?

Answer 1

The strength of an encryption solution is directly tied to the number of possible passwords. A brute force attack simply tries all possible passwords so it will succeed more quickly if the number of distinct passwords is smaller. Case insensitivity means the attacker only has to try lower case passwords since 'EXAMPLE', 'eXamplE' and 'ExAmPlE' would all be seen as the same password as 'example'.

The number of attempts required for a brute force attack is roughly half the total number of possible passwords which is calculated by taking the number of distinct characters to the power of the length of the password. A typical example character set is upper case, lower case, digits and special characters, which might add up to 96 distinct characters. Removing upper case would decrease the number of passwords in this example from 96 to 70, assuming the three other types are all included. So, for an 8 character password this change would weaken the password strength by a factor of approximately 12.5. [That's 96^8/70^8.]

In a situation where you have diminished password complexity, it becomes much more important that you use a long password. It's a subtle point, but the diminished complexity erodes the value of extra length. For example, 96^9/70^9 is about 17.2, so going from 8 character passwords to 9 character passwords is more effective if the passwords are also more complex.

Answer 2

For reference, should anyone still be looking for an answer.

Turns out it is because most BIOS' will use the scancodes of the keys it (the individual BIOS) supports for password input. The shift and caps lock are ignored in laptops I've encountered (Lenovo, HP, Dell; business line laptops).

Answer 3

Think about the overall concept of "security" as protecting data from loss. There are several forms of loss. There is loss to a malicious third party, but there is also the loss of access to the data, meaning the owner can't get to it anymore. This would happen if the user gets the password wrong.

Presuming the encryption is cryptographically strong, Samsung knows that no one is capable of recovering the password for the user -- a forgotten password means a complete loss of data. By setting case insensitivity, they are helping prevent the case where the user remembers something about the password but may not remember all the specific details.

As others have said, the strength of the security lies with choosing a sufficiently lengthy password. With case insensitivity reducing the brute-force search space, the person setting the password needs to increase the password length to compensate.

Answer 4

Presuming that you can still input a mixed case password, then this doesn't have any impact provided you follow standard best practice for passwords, ensuring length (eg ten characters minimum) and presupposing you are using a password which would not be found on password dictionary files).

Or are you saying that a mixed case password is being converted/stored as all lower case, and you wish to know what the resultant drop in entropy is?