If you have thought that then you have been wrong, and that for some time now. Emil Protalinski over at ZDNet found out by accident that Facebook appears to accept different password combinations during login. He noticed the issue after finding out that he was able to log into Facebook with Caps Lock on while entering the password.

One would expect that the login attempt would be turned down, but that is apparently not the case.

Facebook later confirmed that they accept three different forms of a user password:

• The original password, obviously.
• The original password with the first letter capitalized. This is apparently only working for mobile devices.
• The original password with the letter case reversed.

If your password is ghacksIsGreat, Facebook would also accept GHACKSiSgREAT and GhacksIsGreat when connecting from a mobile device.

The reasoning behind that is to avoid to many caps lock conflicts for users logging in to the site. Numbers on the other hand are always displayed as numbers in the Facebook login prompt, which is why only letters are accepted with case changes. Facebook assumes that the caps lock key has been active if the password is send over with reverse case.

The question is this: Is the acceptance of password variations on Facebook a security issue? While brute force attacks could in theory benefit from the additional password forms that are accepted on Facebook, their impact seems to be neglectful, especially if secure passwords are selected by the site’s users.

It is still a security issue, and some users might prefer warnings that the caps lock key is active to the way Facebook is handling the issue right now.

Facebook is not the only company that was criticized for their password security. Amazon was recently in the news as well: Amazon Login May Accept Password Variants

What’s your take on this?

This short guide lists the important changes and some general tips to improve a Facebook account’s security and login.

Facebook Account Hardening

Most security features on Facebook deal with the log in on the site. This is where we start as well.

• Facebook password: Make sure you use a secure password on Facebook. Best passwords are made up of a combination of letters, numbers and special characters. It is suggested to use at least 14 characters, the more the better. Make sure that you do not use dictionary words, names or other terms that can be associated with you.

To change your password do the following: Click Account on the upper right and select Account Settings from the menu.

Locate Password under the Settings tab and click the change link on the right of it. A form opens on the same page where you need to enter your old password and the new password. A click on Change Password completes the process so that the new password will be the valid password from that moment on. You will be logged of all computers when you change the password.

• Security Question: The security question and answer are used by Facebook to identify the account owner, for instance when you contact them because you do not have access to your account anymore. It is important to select a question and answer that only you can answer. Remember that you can add any answer that you want. Instead of answering “What was the last name of your first grade teach” with Mrs. Smith, you could instead use characters from your ID card, driver’s license or a phrase that you can remember well.

You can change the Security Questions under Account Settings as well. Just select change next to Security Question this time.

• Secure Browsing (https): You can open Facebook by loading http://www.facebook.com/ and https://www.facebook.com/. The difference? The HTTPS variant is more secure, as it uses encryption which blocks access to spy on your network traffic. That’s for instance helpful if you connect to the site from a public computer or wireless network.
• Login Notifications: You can enable this option to receive emails whenever someone logs in to your Facebook account from an unrecognized computer.
• Facebook Login Approvals: This new feature improves security by linking the Facebook account to your mobile phone number. Facebook sends a pin to the linked mobile phone whenever someone tries to log in from an unrecognized computer. You need to add your mobile phone number to Facebook before you can make use of that feature.

You can configure all three options under Account Settings. Locate Account Security there and click the change button to see the following configuration options.

It is suggested to enable all three, unless you do not want to add your mobile phone to Facebook. Enable the first two (secure browsing and login notification) then.

Is there anything else that you do to keep your Facebook login and account secure? Let us know in the comments.

PayPal for instance is offering VeriSign ID Protection devices that act as a second layer of authentication. Google recently introduced two-step verification for Google accounts as well.

The company confirmed today on the official Facebook blog that the feature has been rolled out to all Facebook users. Every Facebook user has now the option to enable two factor authentication on Facebook. The protection is called Facebook Login Approvals, and designed to add a second layer of protection to the log in process on the social networking site.

Facebook users can enable the new security feature under Account > Account Settings > Account Security.

This launches a wizard that guides the user through the activation of the security service. Login Approvals works in the following way:

You link a mobile phone number to your Facebook account. This mobile phone number receives a code via SMS whenever someone with the correct username and password tries to log in from an unauthorized computer.

This means that you do not get a code when you log in from your home computer. Attackers do not get to see the code either when they do not enter the right login credentials.

The only two scenarios where the code is displayed are unauthorized login attemps by attackers who have your username and password, and first time log ins on new computer systems or devices.

Facebook users will furthermore be notified of log in attempts from unauthorized computer systems. An unsuccessful attempt usually means that someone else is in possession of a user’s Facebook username and password. Users get options to change their account password right away to protect their account further.

Back to the configuration. Codes are currently only send to mobile phones via SMS. This means that you need to add at least one mobile phone number to your Facebook account.

Users who have not done that already are asked to add a mobile phone number to their account to complete the Login Approvals setup.

It is afterwards necessary to confirm the phone by entering a code that is send to it by Facebook. The mobile phone number and Facebook account are from that moment on linked.

What happens if you lose your phone? You still have the option to log in from computer systems that have been authorized previously.

Facebook users who want to add an extra layer of protection to their account should consider enabling login approvals. Some users may not want to add a mobile phone number to their Facebook account on the other hand. There is unfortunately no way around this currently if you want to make use of Login Approvals. (via Facebook Login Approvals)

Two-Factor Authentication is being rolled out at the moment which means that the new feature is not available for all accounts yet.

What we know at this point is that it is turned off by default which means that users need to turn it on before it becomes available. This is similar to the always use HTTPS feature that was introduced earlier this year by Facebook.

It is likely that Two-Factor Authentication will become available under Account Security in the Facebook Settings, just like Secure Browsing (https) did earlier this year.

The blog post over at the official Facebook blog is vague about the new feature.

If you turn this new feature on, we’ll ask you to enter a code anytime you try to log into Facebook from a new device

This is a core difference to Google’s 2-Factor Authentication which stays active once it has been enabled for an account. Facebook’s Two-Factor Authentication on the other hand will only ask for the second code if a user tries to log in from a new device or computer which makes the protection a lot weaker.

Sites like The Next Web are reporting that the feature is similar to Google’s Two-step verification which it clearly is not, except for the fact that both systems ask the user to enter two codes to log in.

The blog post mentions additional improvements, including a switch back to HTTPS if you use an application that connects via plain http.

The remaining improvements concern family and online safety, more than they do security. A new social reporting tool has been revealed “that allows people to notify a member of their community, in addition to Facebook, when they see something they don’t like”.

Two-Factor Authentication is a step in the right direction, but Facebook users should have options to enable it for all logins on the social networking site, not only for log ins from new devices or computers, (via Caschy)

Then again, problems can arise if that program becomes inaccessible, or if the user needs the login information in plain text to use them in another application. What if the program the Facebook login information are stored in does not offer an option to reveal them so that they can be accessed or copied?

Facebook Password Decryptor is a free program for the Windows operating system that can retrieve Facebook account password and username information from Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, Paltalk Messenger and Miranda Messenger.

Users do not need any technical expertise to use the program. All they need to do is to start the application after installation and click on the Start Recovery button. Facebook Password Decrypter automatically scans the system for the installed supported applications to display the program name, Facebook user name and password in a table.

Passwords are hidden behind asterisks by default, a click on Show Password changes that so that they can be viewed in clear text. It is furthermore possible to export the list of Facbeook logins to text or HTML.

A word of advise. The software tries to install Real Player during installation. The installation of Facebook Password Decryptor can be completed even if the Real Player installation is canceled.

Facebook Password Decryptor is available for download at the developer website. It was tested on a 64-bit Windows 7 Professional system, and should run fine on all Microsoft operating systems starting with Windows XP.

Facebook yesterday introduced a similar feature that they call one-time passwords. But instead of having to visit the Facebook page to request the one-time password, Facebook users need to send the text “otp” to 32665 on their mobile phone. They then receive the password that they can use to login on Facebook. The password is only valid for one login, and will expire automatically after 20 minutes.

According to the announcement post, this feature is rolled out gradually. We are not sure at this point if this will be a US feature for now, or if this option is available globally.

There are also no information on the costs of sending and receiving the one-time password to login.

The second improvement has been available to some users for some time already, but is now available to all Facebook users. All Facebook users have now the option to see all active Facebook sessions, with the ability to end remote sessions.

This can be helpful in numerous situations. Maybe you have logged into Facebook in the library to check your account and forgot to log out. With account activity it is now possible to log out so that no one else can access the data in the account.

But this is also helpful if someone else managed to get unauthorized access to the account. The first step would be to log them out, and then change the password to protect the account and avoid this from happening again. Then again, they may do the same so you better hurry and know what you are doing.

In addition to that, Facebook will from now on display prompts after the log in, that ask the user to check and edit security information. Recently we have been asked to name the computer that we were working on for instance.

The blog post on Facebook does not address some questions that users may have, for instance if the one-time password option is available internationally, how much users will be charged for the request or when it is available to them.

Facebook users do need to make sure that they have the mobile phone number linked to their account, before they can start requested one-time passwords to log in.

The Facebook Toolbar may be one of them, but only if the user is a die hard Facebook addict who wants to stay in the loop all the time and interact with Facebook without being on the site.

On first glance, the Facebook toolbar looks like a lot of other toolbars. It has the usual assortment of buttons and a search form on it. None of these functions can be used without logging in to Facebook first. The toolbar has a Facebook login link on the right side.

Alternatively, a login popup is displayed if any of the features are accessed prior to logging in.

Just enter your Facebook login credentials, and allow the toolbar to interact with the Facebook account.

The layout of the toolbar changes slightly after logging in. Lets take a look at the features offered by the Facebook toolbar.

• Facebook Friends Sidebar: Displays the Facebook friend list in a sidebar
• Facebook Search: Performs a search on Facebook.
• Quick Links: Links pointing to various Facebook pages, including profile, friends, inbox, photos, notes, groups, events, links, videos, account settings, privacy settings, application settings and toolbar settings
• Facebook Home: Link to the Facebook homepage
• Share: Shares the active page on Facebook
• Upload photos: Option to upload photos to the Facebook profile
• Set your stats: Quickly set a new status message on Facebook.
• Logout: Log out of Facebook from the Toolbar

The toolbar user is automatically logged in on Facebook as well, as long as the login in the toolbar stays active. One of the most interesting features of the toolbar are notifications of activities on Facebook.

The toolbar options define which notifications will be displayed to the logged in user. Notifications are divided into user and friend notifications.

• Notifications about me: new friend requests, new message, new poke, new friend, new event invite, new group invite, new share, all other notifications
• Notifications about my friends: a friend updates his/her profile, a friend updates his/her status, a friend updates his/her albums, someone writes on a friend’s wall, a friend writes a note
• Other notifications: Uploads Complete

All of the notifications in the list above can be enabled or disabled individually. It is furthermore possible to switch from toolbar notifications windows to built-in Firefox notifications.

The Facebook Toolbar is available for Microsoft Internet Explorer and Mozilla Firefox.

Facebook has designed the login process to provide additional information to the user if the email and password combination used to log in do not match.

Instead of just displaying a warning that the log in information were not correct, Facebook went one step further and displayed “Login As” information on the page. This included the user’s profile photo and full name, regardless of that user’s privacy settings on Facebook.

Atul described the problem in detail on Seclists:

Sometime back, I noticed a strange problem with Facebook, I had accidentally entered wrong password in Facebook, and it showed my first and last name with profile picture, along with the password incorrect message. I thought that the fact that it was showing the name had something to do with cookies stored, so I tried other email id’s, and it was the same. I wondered over the possibilities, and wrote a POC tool to test it.

This script extracts the First and Last Name (provided by the users when they sign up for Facebook). Facebook is kind enough to return the name even if the supplied email/password combination is wrong. Further more,it also
gives out the profile picture (this script does not harvest it, but its easy to add that too). Facebook users have no control over this, as this works even when you have set all privacy settings properly. Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies.

facebook login privacy

The issue has been fixed in record time by Facebook. It does however mean that
the privacy issue was exploitable by everyone, including users without a Facebook account, until the fix had been applied,. In plain English, email addresses could be linked to real names and profile photos this way, with the right tools even in an automated way. The proof of concept code that Atul wrote showed that malicious users could have exploited the issue to create a huge database of linked email addresses and full names, which could be disastrous if used in phishing campaigns or other malicious uses.

Read Write Web had to add a bold paragraph to the article that explained to Facebook users that the site was not Facebook.

The recent ranking algorithm changes by Google, dubbed MayDay by webmasters throughout the world, has apparently repeated the ranking problems. The site in position one in the Google Search engine for Facebook Login is a very basic website with the domain name sahabatsejati.com that is currently displaying a 404 error message, most likely caused by the increase in traffic that this highly competitive search term is sending to the site that made it to the top of the Google search engine.

facebook login

The Google cache is still showing the website which does not even contain a link to Facebook.

facebook login not working

The Facebook website is listed in second position right after the dead website. This is a very prominent example of the ranking problems of Google Search. Maybe it is time to switch to another search engine, read Useful Tips To Get The Most Out Of Bing Search for a start.

MAYDAY, MAYDAY, MAYDAY, Google we have a problem.

Many Facebook users do not know that Facebook has an option to notify account owners about logins from other computer systems and mobile devices.

While this does not prevent the other user from logging in it gives the actual account owner information at hand to react immediately to prevent further damages.

Every Facebook user can configure the account to include that notification of unauthorized access.

Here is how you can configure your account. Open the Facebook homepage and log into your account. Click the Account link in the upper right corner of the screen and then account settings in the context menu.

This opens the My Account configuration menu. Locate the Account Security setting under the settings tab.

Click on the change link on the right of Account Security to display the options directly on the same page. The setting reads:

To help keep your Facebook account as safe as possible, we can notify you when your account is accessed from a computer or mobile device that you haven’t used before.

The default value is set to no. Select yes and submit to activate the notifications.

Make sure to log out and in again as you are asked to register the current computer system with Facebook on the next login to the social network.

Please take a moment to register this computer by choosing a name you’ll remember later. You’ll receive a notification confirming that you registered and logged in from here. Please note that if you clear your cookies you may need to reregister this computer.

It is suggested to select Don’t ask me again from this computer if the computer is not a public computer (e.g. library or school).

You will receive email notifications whenever a user logs into your Facebook account from a non-registered computer or from a computer where the don’t ask me again checkbox was not checked. (via Troublefixers)

Facebook Friends Checker is a userscript that can be installed in the Firefox web browser providing that the Greasemonkey extension has been installed prior to this. It might work in other web browsers like Google Chrome or Opera as well but this has not been tested by us.

The userscript will act on every page load after the initial Facebook login. It runs on a schedule that is by default set to 2 hours. This means that it will check the friends list every two hours. The check is initiated on the next page load after the scheduled time frame has passed by.

The developer explains in detail how the script operates:

Any time a page is loaded on Facebook, the script will run and it will follow the following basic algorithm;

* If the script has checked your friends in the past <> hours, do nothing.
* Otherwise, load a page on Facebook in the background with a list of all of your friends.
* Go through each of these friends and add them to a list.
* Compare this list with the list saved the last time the script checked your friends.
* If someone was on the list before who isn’t now, post the box informing the user.
* Save the new list of friends over the old one.
* Save the current time as the last checked time.

Any previous friend who is not longer a friend will then be listed on the Facebook page with options to view the friend’s profile for canceling the friendship as well.

Facebook users with many friends might want to consider increasing the check intervals. Facebook Friends Checker is available at the userscripts.org website

Several security companies are currently warning their users about a widespread scam that is targeting Facebook users per email.

The attackers are currently sending out emails that claim that the Facebook password has been changed and that a new password can be found in an attached document.

Facebook Password Reset Confirmation! Customer Support

Dear user of Facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team.

Experienced users will quickly realize that the email is a scam. There are several indicators for this. Indicators are the non personal tone of the message (no name is mentioned in the email), the email attachment and the fact that Facebook will never send out emails that automatically reset password.

Both McAfee and Sophos have put out warnings about the scam. The attachment’s name is Facebook_details_.zip. It contains a trojan and should therefor not be opened by the user. McAfee reports that the trojan steals computer passwords from the PC when it is executed and not blocked by security software.

Facebook users should take a look at our Facebook Login security information for further tips on how to improve the security on the network. (via Download Squad)

The Facebook web slice for Internet Explorer 8 has been designed to offer Internet Explorer users a faster way to access Facebook updates. Instead of having to visit the Facebook website they now can simply click on the icon in the Internet Explorer favorites bar to access the latest updates of their Facebook profile.

A click on the icon for the first time will display the Facebook login page. The user needs to log into a Facebook account before updates of that account are shown in the web slice. Everything after the login is automated and all it takes to access the updates is to click on the icon in the favorites bar. It will display the latest updates with clickable links that lead right to the Facebook website. It is furthermore possible to update the Facebook status right from the web slice’s window.

Facebook Web Slice is only available for Internet Explorer 8. It can be downloaded from the Internet Explorer add-on’s gallery over at the Microsoft website.

The first category of problems is usually easier to fix. A not loading Facebook page can have only a few sources. It can be that Facebook is currently experiencing difficulties which can be solved by waiting some time and trying again. If the website is not fully loading or displaying old information then clearing the browser cache or trying to access Facebook with another web browser will help.

The last source for Facebook login problems can be that the Internet service provider the user uses to connect to the Internet has problems connecting to Facebook. This again is usually solved by waiting some time and trying to access the page again.

Windows users can also try a so called tracert command to see if the connection to Facebook can be established. They need to open a command prompt (by pressing Windows R, typing cmd and hitting enter). The command tracert facebook.com will try to establish the connection to Facebook and display problems on the screen. These information can then be used to contact the ISP asking for help.

More common are problems associated to the Facebook login itself. This can be that the password or username are not accepted, that the data cannot be remembered or that another error message is displayed when logging into Facebook.

The Facebook login help page provides tips to overcome those log in issues and it is recommended to go there to find the answer to the problems at hand.

An inexperienced user searching for Facebook Login Screen for instance expects the first search result to lead to the search, in this case the Facebook login page to log into the social network.

Google lately on the other hand has experimented with all kinds of additional modules that are displayed to the search engine visitor. Some of these modules are videos, pictures or news.

Facebook users who lately entered the term Facebook Login into Google found not the Facebook page on position one of the search engine results pages but a news column that was pointing to the latest news about the Facebook login.

Many Facebook users have clicked on that link only to find out that they did not land on the Facebook page but a blog page that was writing about Facebook. Even worse was the fact that some users did not even realize that they were not on Facebook as they left comments on the blog stating that they did not like the new design.

Google since then seems to have moved the news down from the first position of the SERPs to the fourth position with Facebook again being on the first. It is likely that other search terms are affected by this as well which might force Google to rethink their strategy.

The news module is still swapped between the first and fourth position on that page.

OutSync is an add-on for Microsoft Outlook that can semi-automate that process, at least for the contacts that are also Facebook friends of the user running the add-on. The idea is simple. Check Facebook to see if Outlook contacts are friends of the user in the social network website. If they are check if they have added a profile photo to their Facebook account. Copy that profile photo over to Outlook to add it as the account photo in the email software.

The process to sync Facebook photos with Outlook Contacts is a four step process. It begins by downloading OutSync from the developer’s website. The first startup may take between one and two minutes. The computer user then needs to perform a Facebook login from within OutSync and wait until the program has matched all the contact information. It is here possible to uncheck contacts from being synced which might make sense if a photo is already assigned to them. Pressing the sync button will update the selected Outlook contacts with the information found at Facebook.

The main benefit of OutSync is for Windows Mobile users. Updated contacts are automatically synced with Windows Mobile devices by Exchange server or ActiveSync. Thus new and fun photos appear during calls and other places where contacts are used.

Outsync is compatible with Outlook 2003 or Outlook 2007 running on Windows XP, Windows Vista, Windows 7 or Windows Server.

More than 50% of all Facebook users are part of a regional network and the upcoming changes will give them – and everyone else – more control over the data that they share.

The result is that regional networks are removed from the privacy controls completely and replaced by a simpler model which basically allows the user to share content with friends, friends of friends or everyone.

This will go along with an overhaul of the Facebook privacy page. Some settings will be combined on that page making it easier for users to control their privacy.

Facebook users will be notified in the next couple of weeks about the changes. The notification will ask them to review and update their privacy settings to reflect the changes of the update.

Make sure to check out our Facebook Login guide to stay on the safe side when accessing the social network.

Pandalabs did release in depth details about a Facebook hacking scam as well. They discovered a website which claimed to hack any Facebook account for $100 payable through Western Union. A user who wants a Facebook account hacked has to register at the website. The Facebook Id of the account that the user wants hacked needs to be entered into the form on the website. A script will then pull the username from that account and mimic a hacking attempt.

It will then ask the user to pay the $100 before the password to the account will be revealed. A user paying the $100 will not get the password to the account. The money is gone as well as it is not possible to get it back once it was send. Veteran Internet users therefor avoid making payments through these money transfer systems.

It is also likely that the login data is recorded and tried on various websites to see if the user did use the same login data on other websites which in the end could mean that the Facebook account of the user who wanted a Facebook account hacked got hacked. Oh, the irony.

Check out our Facebook Login article for pointers on how to avoid falling pray to criminals attacking Facebook.

Trend Micro are reporting about yet another Facebook phishing attack that is currently in the wild. The attack begins – like most phishing attacks – by mass mailing potential Facebook users informing them that they need to update their Facebook login credentials. A link is offered in that email and if they follow that link they land on a website that looks like Facebook. What’s interesting here is that the email address field of the Facebook login form is already filled out so that the Facebook user only needs to enter the Facebook password to complete the process.

A click on the login button will open a new page that contains a link to an update tool which installs a trojan on the user’s system.

It attempts to access a Web site to download a file which contains information where the Trojan can download an updated copy of itself, and where to send its stolen data. This configuration file also contains a list of targeted bank-related Web sites from which it steals information. Note that the contents of the file, hence the list of Web sites to monitor, may change any time.

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user’s account information, which may then lead to the unauthorized use of the stolen data.

The blog post contains security tips on how to distinguish legit from phishing emails. Users who are interested in those can visit the blog post but the most important lesson once again is to avoid clicking on links that are send via email.

One option would be to request a password reset directly at Facebook. The option is available on the Facebook login page and requires only the email address that the user registered the Facebook account with. This usually should solve the problem of not being able to log into Facebook.

A superior solution to this is to use a password manager like Last Pass to store the Facebook account information. Last Pass can automatically fill out the form at the Facebook login page and log the user into the social networking website without interaction at all. Last Pass is currently available for several popular web browsers including Mozilla Firefox, Google Chrome and Internet Explorer.

Facebook support contains a Facebook login and password help page that addresses several questions that Facebook users might have about the login process. This includes

• I can’t log in to Facebook.
• I want to change my password.
• My account was hacked or “phished.”
• I want to change my login email address or add a new contact email address.
• I want to sign up for an account. I’m experiencing issues registering for an account.
• There is a yellow banner prompting me to confirm my account.
• I have questions about the “Keep me logged in” option.
• Bugs and known problems.

You can visit the support page here.