I just made a small discovery about Facebook passwords: they are not completely case sensitive. If you have characters in your Facebook password (as in, it's not just numbers), there is a second password that will let you log in to the social network.
Earlier today, I needed to check Facebook in Microsoft Internet Explorer 9, my alternative browser to Google Chrome. For whatever reason, I had my caps lock key on. Despite this, I still managed to log in to Facebook just fine.
I did a little investigation and I soon realized what was happening. If you reverse the case of every character in your password, you can still log into Facebook. Seriously, go try it yourself: Facebook Login.
This means that if your password is password1234, you can log in with PASSWORD1234, but not any other combination of lower case and upper case characters. If your password is PaSsWoRd1234, you can log in with pAsSwOrD1234, but not any other combination of lower case and upper case characters.
Even if you have both lower and upper cases in your password, you can still have the caps lock key on when you log in. Just remember to hit the shift key in the right places, and you'll still get in fine.
This really isn't a huge security problem, although if someone is trying to brute force your Facebook account, they can technically try significantly fewer passwords.
I'm not sure if this is by design or not, so I've contacted Facebook and asked for clarification.
Update: This is by design after all. I got in touch with Fred Wolens at the Facebook PR security team and he explained the details to me. Here is what I learned (I also asked him for a written statement, which I'll update the post with again when I get it).
Facebook actually accepts three forms of your password:
- Your original password.
- Your original password with the first letter capitalized. This is only for mobile devices, which sometimes capitalize the first character of a word.
- Your original password with the case reversed, for those with a caps lock key on.
The third case is the one I stumbled upon today. Wolens told me Facebook has had this implemented "for a while" although he couldn't say for exactly how long. He also noted that Facebook doesn't believe this impact the security of the user's passwords, since the characters are still unique, just flipped.
Wolens made a point to emphasize Facebook still has a number of security checks that happen even after the password is accepted. For example, if you log in from a questionable device, or if you log in from two locations that are very far apart from each other, it will prompt you with a verification code.
Facebook may say there's low risk in its password practices, but this comes off as blasé, according to my colleague Ryan Naraine. Ease of use can turn into a security problem down the road, which is why many services will warn you to make sure the caps lock is off instead of simply allowing a "flipped" version of your password.
Update 2: "Nothing is more important to us than the security of our users and their information," a Facebook spokesperson said in a statement. "Our passwords are not case insensitive. We accept three forms of the user's password to help overcome the most common reasons that authentic logins are rejected. In addition to the original password, we also accept the password if a user inadvertently has caps lock enabled or their mobile device automatically capitalizes the first character of the password. We feel this does not significantly impact the security of the user's password or their account. Additionally, we do not store our passwords in plain text we use several encryption technologies and techniques to maintain the security of our information."
- September 2011: The Definitive Facebook Lockdown Guide
- My first Facebook imposter experience
- Symantec finds 15% of Facebook videos are likejacking attacks
- Three weeks later, Facebook has paid $40,000 in security bug bounties
- Facebook launches security bug bounty program
- Security experts have mixed feelings about Facebook's privacy revamp
- Facebook testing two new mobile security features
- Facebook improves safety, security tools; experts not impressed
- Facebook CEO Mark Zuckerberg: spamming apps are lame