Facebook passwords are not case sensitive (update)

Facebook passwords are not case sensitive (update)

Summary: If you have characters in your Facebook password, there's a second password that you can log in to the social network with.

SHARE:

I just made a small discovery about Facebook passwords: they are not completely case sensitive. If you have characters in your Facebook password (as in, it's not just numbers), there is a second password that will let you log in to the social network.

Earlier today, I needed to check Facebook in Microsoft Internet Explorer 9, my alternative browser to Google Chrome. For whatever reason, I had my caps lock key on. Despite this, I still managed to log in to Facebook just fine.

I did a little investigation and I soon realized what was happening. If you reverse the case of every character in your password, you can still log into Facebook. Seriously, go try it yourself: Facebook Login.

This means that if your password is password1234, you can log in with PASSWORD1234, but not any other combination of lower case and upper case characters. If your password is PaSsWoRd1234, you can log in with pAsSwOrD1234, but not any other combination of lower case and upper case characters.

Even if you have both lower and upper cases in your password, you can still have the caps lock key on when you log in. Just remember to hit the shift key in the right places, and you'll still get in fine.

This really isn't a huge security problem, although if someone is trying to brute force your Facebook account, they can technically try significantly fewer passwords.

I'm not sure if this is by design or not, so I've contacted Facebook and asked for clarification.

Update: This is by design after all. I got in touch with Fred Wolens at the Facebook PR security team and he explained the details to me. Here is what I learned (I also asked him for a written statement, which I'll update the post with again when I get it).

Facebook actually accepts three forms of your password:

  1. Your original password.
  2. Your original password with the first letter capitalized. This is only for mobile devices, which sometimes capitalize the first character of a word.
  3. Your original password with the case reversed, for those with a caps lock key on.

The third case is the one I stumbled upon today. Wolens told me Facebook has had this implemented "for a while" although he couldn't say for exactly how long. He also noted that Facebook doesn't believe this impact the security of the user's passwords, since the characters are still unique, just flipped.

Wolens made a point to emphasize Facebook still has a number of security checks that happen even after the password is accepted. For example, if you log in from a questionable device, or if you log in from two locations that are very far apart from each other, it will prompt you with a verification code.

Facebook may say there's low risk in its password practices, but this comes off as blasé, according to my colleague Ryan Naraine. Ease of use can turn into a security problem down the road, which is why many services will warn you to make sure the caps lock is off instead of simply allowing a "flipped" version of your password.

Update 2: "Nothing is more important to us than the security of our users and their information," a Facebook spokesperson said in a statement. "Our passwords are not case insensitive. We accept three forms of the user's password to help overcome the most common reasons that authentic logins are rejected. In addition to the original password, we also accept the password if a user inadvertently has caps lock enabled or their mobile device automatically capitalizes the first character of the password. We feel this does not significantly impact the security of the user's password or their account. Additionally, we do not store our passwords in plain text we use several encryption technologies and techniques to maintain the security of our information."

See also:

Topics: Security, Social Enterprise

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

35 comments
Log in or register to join the discussion
  • RE: Facebook passwords are not case sensitive (security warning)

    How could this not be by design? If it were purely a case-insensitivity issue, then any combination of upper/lower would work. I'm guessing they wanted it to be a neat trick to defeat the inevitable CAPS LOCK user mistake.
    Tom Fisher
  • Makes sense to me

    It sounds exactly by design to me. They wanted to cut down on the number of support requests from dumb users that left their caps lock key on. Simple.

    It doesn't work with the other combinations, only the exact mirror, and without changes to numbers, because that is exactly how the caps lock key functions.
    @...
    • RE: Facebook passwords are not case sensitive (security warning)

      @shane@... I just did the calculation:
      Using your example of password1234 this will cut down your entropy (or keyspace) from:
      3,226,266,762,397,900,000,000 (# of possibilities)
      to about:
      1,873,316,184,618,135,483,871
      Still a frickin huge number.
      If you figure about 17 billion tries an hour (very high performance) that equates to cracking for about:
      2,271,694,859 days (assuming you somehow got a hash to crack off of).
      This is a non-issue, worry more about facebook internal security and information leakage via improper privacy controls.
      @...
      • RE: Facebook passwords are not case sensitive (security warning)

        Programs are written to try: every possible name, and dictionary word trying the first few million, then the next few million trys with a number(s) /character(s) prepended or appended. A fast computer can run just those in a few hours i bet.<br><br>"z&LKFwe2*^!@z~" -- for example, is a the only way to go for the best possible defense.<br><br>Does anyone know you can use Alt+123 (alt key symbols) etc etc.. passwords in windows xp?<br>I tried it once and it worked. One of those symbols alone imo would render moot many password guessing platforms. Adding even stronger exponentiation to the mix<br><br>Its a shame that "all" hardware and web based systems do not offer such a robust feature set.<br><br>encryption of data is even better
        pcguy777
      • RE: Facebook passwords are not case sensitive (security warning)

        @pcguy777

        "z&LKFwe2*^!@z~" is not necessarily the 'best' approach.
        You either end up writing them down (*bad* idea) or using the same "strong" password for all accounts (equally *bad* idea).

        Check out https://www.grc.com/haystack.htm for some fun and info.

        While your suggested password *is* much more secure, according to the calculator at that link, your 'PaSsword2' example has a search space of 1.38 x 10^16 and would take 2.29 minutes to guess -- *IF* you can make *100 trillion* guesses/sec! At 100 billion guesses / sec it goes to 1.59 DAYS. You don't wanna know how long at 1000 guesses/sec ... but go look :)
        jimaaaaaa9
      • RE: Facebook passwords are not case sensitive (security warning)

        @shane@... But what about the thousands of people that just sit around trying to crack passwords all day. & the countless groups of hackers that use emulated & simulated programs to crack & hack sites & sever information. This can pose a security risk especially for users that run companies or are famous!
        sirallerik
  • Yeah, I have to agree... mUST'VE BEEN INTENTIONAL.

    It seems like that was probably done on purpose, but I think the designers' sentiment was misplaced. This is simply poor form in my opinion. Just let folks fail to log in and realize their CAPSLOCK is on.
    SenorAlejandro
    • RE: Facebook passwords are not case sensitive (security warning)

      @SenorAlejandro
      I have to say this is the sentiment that I agree with. Most places WILL say check your caps lock if you get it wrong.
      a1slipkid
  • RE: Facebook passwords are not case sensitive (security warning)

    @Tom Fisher:
    Agreed... I'm not sure that brute-forcing a FB account is high on a hacker's to-do list, but I guess 200M passwords is better than 400M...

    ;-)
    BET7139
    • RE: Facebook passwords are not case sensitive (security warning)

      @BET7139 I don't think that brute force attacks would be possible at all. For obvious reasons, i didn't try that, but my guess is that after a certain number of failed login attempts in a row, facebook will block the entire account.
      From a security perspective, this is a non story. From a usability perspective, it isn't.
      cgdams
  • Bad practice

    What it suggests to me is that they aren't hashing your password and only storing it as the hash.
    dev/null
    • RE: Facebook passwords are not case sensitive (security warning)

      @dev/null No, they're probably just storing all 3 hashed versions, that's what I would do. They've got a pretty decent security team over there.
      @...
    • RE: Facebook passwords are not case sensitive (security warning)

      @dev/null
      What it suggest to me is that they have three hashes stored
      zdnet@...
      • RE: Facebook passwords are not case sensitive (security warning)

        @zdnet@...
        Hmmm, that's okay if the hashing is done at the client end and the hashes are sent instead of clear text password for login. It's insecure to receive plain text login/password, simple. It doesn't matter if it is encrypted umpteen different ways at the server, it is still insecure .... PERIOD.
        andrew.mcglashan
        • RE: Facebook passwords are not case sensitive (security warning)

          Not really. If the traffic is unencrypted, then if the attacker can still get the hashed value of your password, and they can use it to login to your facebook account just as easily as using your password (since the site will be expecting the hashed version). The real solution is to protect the traffic by using SSL, especially on unprotected wireless networks.
          JeffOlson
    • RE: Facebook passwords are not case sensitive (security warning)

      @dev/null there is another, much more likely, possibility. And it is one that makes their practice no less secure.

      When a login fails, Facebook tries again with the modified password. I work for the makers of a password management system, and that is what we used to do. In our case it didn't reduce security at all because while it means that a guesser only has to guess half the number of possibilities, it means that each wrong guess takes twice as long to check.

      So although this didn't reduce security in the slightest, the perception was that it did, so we've had to phase it out.

      For Facebook there is a slight security weakening through this. Because the login attempts are remote, their throttling or lock-out algorithm in a sense cuts in a little slower because each incorrect password attempt will actually be two or three (but will only count as one).

      However, because there is throttling, it means that any technical danger their scheme introduces means nothing in practice.

      We also need to recognize the password reset procedures that the user goes through when they forget their passwords introduces its own security problems. So by substantially reducing the number of password reset requests at a negligible cost of password trials, this is probably a good thing with respect to security.

      Cheers,

      -j
      jpgoldberg
  • Bad Practice - Or Not

    I wondered whether this means the password is stored in plaintext, but it doesn't have to be. There are only two versions and they can hash both and see if either hash matches what is stored for the account.
    orcmid
  • Seems to be CS for me

    I just tried this using numerous permutations, and it does in fact appear case-sensitive.
    mike_devlin
  • RE: Facebook passwords are not case sensitive (security warning)

    Seriously? Considering all the other security issues with facebook, this is kind of no big deal. In all honesty, I think it's a pretty good idea.
    jred
  • RE: Facebook passwords are not case sensitive (security warning)

    Just want to point out that the title here is wrong. The passwords are still case sensitive. Their just not insensitive.
    mr.RichardWright