Facebook passwords are not case sensitive (update)
Summary: If you have characters in your Facebook password, there's a second password that you can log in to the social network with.
I just made a small discovery about Facebook passwords: they are not completely case sensitive. If you have characters in your Facebook password (as in, it's not just numbers), there is a second password that will let you log in to the social network.
Earlier today, I needed to check Facebook in Microsoft Internet Explorer 9, my alternative browser to Google Chrome. For whatever reason, I had my caps lock key on. Despite this, I still managed to log in to Facebook just fine.
I did a little investigation and I soon realized what was happening. If you reverse the case of every character in your password, you can still log into Facebook. Seriously, go try it yourself: Facebook Login.
This means that if your password is password1234, you can log in with PASSWORD1234, but not any other combination of lower case and upper case characters. If your password is PaSsWoRd1234, you can log in with pAsSwOrD1234, but not any other combination of lower case and upper case characters.
Even if you have both lower and upper cases in your password, you can still have the caps lock key on when you log in. Just remember to hit the shift key in the right places, and you'll still get in fine.
This really isn't a huge security problem, although if someone is trying to brute force your Facebook account, they can technically try significantly fewer passwords.
I'm not sure if this is by design or not, so I've contacted Facebook and asked for clarification.
Update: This is by design after all. I got in touch with Fred Wolens at the Facebook PR security team and he explained the details to me. Here is what I learned (I also asked him for a written statement, which I'll update the post with again when I get it).
Facebook actually accepts three forms of your password:
- Your original password.
- Your original password with the first letter capitalized. This is only for mobile devices, which sometimes capitalize the first character of a word.
- Your original password with the case reversed, for those with a caps lock key on.
The third case is the one I stumbled upon today. Wolens told me Facebook has had this implemented "for a while" although he couldn't say for exactly how long. He also noted that Facebook doesn't believe this impact the security of the user's passwords, since the characters are still unique, just flipped.
Wolens made a point to emphasize Facebook still has a number of security checks that happen even after the password is accepted. For example, if you log in from a questionable device, or if you log in from two locations that are very far apart from each other, it will prompt you with a verification code.
Facebook may say there's low risk in its password practices, but this comes off as blasé, according to my colleague Ryan Naraine. Ease of use can turn into a security problem down the road, which is why many services will warn you to make sure the caps lock is off instead of simply allowing a "flipped" version of your password.
Update 2: "Nothing is more important to us than the security of our users and their information," a Facebook spokesperson said in a statement. "Our passwords are not case insensitive. We accept three forms of the user's password to help overcome the most common reasons that authentic logins are rejected. In addition to the original password, we also accept the password if a user inadvertently has caps lock enabled or their mobile device automatically capitalizes the first character of the password. We feel this does not significantly impact the security of the user's password or their account. Additionally, we do not store our passwords in plain text we use several encryption technologies and techniques to maintain the security of our information."
See also:
- September 2011: The Definitive Facebook Lockdown Guide
- My first Facebook imposter experience
- Symantec finds 15% of Facebook videos are likejacking attacks
- Three weeks later, Facebook has paid $40,000 in security bug bounties
- Facebook launches security bug bounty program
- Security experts have mixed feelings about Facebook's privacy revamp
- Facebook testing two new mobile security features
- Facebook improves safety, security tools; experts not impressed
- Facebook CEO Mark Zuckerberg: spamming apps are lame
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
RE: Facebook passwords are not case sensitive (security warning)
Makes sense to me
It doesn't work with the other combinations, only the exact mirror, and without changes to numbers, because that is exactly how the caps lock key functions.
RE: Facebook passwords are not case sensitive (security warning)
Using your example of password1234 this will cut down your entropy (or keyspace) from:
3,226,266,762,397,900,000,000 (# of possibilities)
to about:
1,873,316,184,618,135,483,871
Still a frickin huge number.
If you figure about 17 billion tries an hour (very high performance) that equates to cracking for about:
2,271,694,859 days (assuming you somehow got a hash to crack off of).
This is a non-issue, worry more about facebook internal security and information leakage via improper privacy controls.
RE: Facebook passwords are not case sensitive (security warning)
RE: Facebook passwords are not case sensitive (security warning)
"z&LKFwe2*^!@z~" is not necessarily the 'best' approach.
You either end up writing them down (*bad* idea) or using the same "strong" password for all accounts (equally *bad* idea).
Check out https://www.grc.com/haystack.htm for some fun and info.
While your suggested password *is* much more secure, according to the calculator at that link, your 'PaSsword2' example has a search space of 1.38 x 10^16 and would take 2.29 minutes to guess -- *IF* you can make *100 trillion* guesses/sec! At 100 billion guesses / sec it goes to 1.59 DAYS. You don't wanna know how long at 1000 guesses/sec ... but go look :)
RE: Facebook passwords are not case sensitive (security warning)
Yeah, I have to agree... mUST'VE BEEN INTENTIONAL.
RE: Facebook passwords are not case sensitive (security warning)
I have to say this is the sentiment that I agree with. Most places WILL say check your caps lock if you get it wrong.
RE: Facebook passwords are not case sensitive (security warning)
Agreed... I'm not sure that brute-forcing a FB account is high on a hacker's to-do list, but I guess 200M passwords is better than 400M...
;-)
RE: Facebook passwords are not case sensitive (security warning)
From a security perspective, this is a non story. From a usability perspective, it isn't.
Bad practice
RE: Facebook passwords are not case sensitive (security warning)
RE: Facebook passwords are not case sensitive (security warning)
What it suggest to me is that they have three hashes stored
RE: Facebook passwords are not case sensitive (security warning)
Hmmm, that's okay if the hashing is done at the client end and the hashes are sent instead of clear text password for login. It's insecure to receive plain text login/password, simple. It doesn't matter if it is encrypted umpteen different ways at the server, it is still insecure .... PERIOD.
RE: Facebook passwords are not case sensitive (security warning)
RE: Facebook passwords are not case sensitive (security warning)
When a login fails, Facebook tries again with the modified password. I work for the makers of a password management system, and that is what we used to do. In our case it didn't reduce security at all because while it means that a guesser only has to guess half the number of possibilities, it means that each wrong guess takes twice as long to check.
So although this didn't reduce security in the slightest, the perception was that it did, so we've had to phase it out.
For Facebook there is a slight security weakening through this. Because the login attempts are remote, their throttling or lock-out algorithm in a sense cuts in a little slower because each incorrect password attempt will actually be two or three (but will only count as one).
However, because there is throttling, it means that any technical danger their scheme introduces means nothing in practice.
We also need to recognize the password reset procedures that the user goes through when they forget their passwords introduces its own security problems. So by substantially reducing the number of password reset requests at a negligible cost of password trials, this is probably a good thing with respect to security.
Cheers,
-j
Bad Practice - Or Not
Seems to be CS for me
RE: Facebook passwords are not case sensitive (security warning)
RE: Facebook passwords are not case sensitive (security warning)