Every Facebook User Has Multiple Passwords
Facebook users log in to the social networking site with their username and password. Normally you would expect that the password is unique, and that no one else can access the account by entering a different password in the login prompt on the website.
If you have thought that then you have been wrong, and that for some time now. Emil Protalinski over at ZDNet found out by accident that Facebook appears to accept different password combinations during login.
He noticed the issue after finding out that he was able to log into Facebook with Caps Lock on while entering the password.
One would expect that the login attempt would be turned down, but that is apparently not the case.
Facebook later confirmed that they accept three different forms of a user password:
- The original password, obviously.
- The original password with the first letter capitalized. This is apparently only working for mobile devices.
- The original password with the letter case reversed.
If your password is ghacksIsGreat, Facebook would also accept GHACKSiSgREAT and GhacksIsGreat when connecting from a mobile device.
The reasoning behind that is to avoid too many caps lock conflicts for users logging in to the site.
Numbers on the other hand are always displayed as numbers in the Facebook login prompt, which is why only letters are accepted with case changes. Facebook assumes that the caps lock key has been active if the password is send over with reverse case.
The question is this: Is the acceptance of password variations on Facebook a security issue? While brute force attacks could in theory benefit from the additional password forms that are accepted on Facebook, their impact seems to be neglectful, especially if secure passwords are selected by the site's users.
It is still a security issue, and some users might prefer warnings that the caps lock key is active to the way Facebook is handling the issue right now.
Facebook is not the only company that was criticized for their password security. Amazon was recently in the news as well: Amazon Login May Accept Password Variants
What's your take on this?Advertisement
As someone who does a lot of data entry with CapsLock on, I get annoying password rejections several times a day. The probability of a hacker finding your password but with the case reversed is only faintly different. Instead of 1 in a hundred trillion it will be 3 in a hundred trillion. Big deal.
Actually it is more than that, as you only need to test one variant for all passwords, so you test “test”, “test1234” and “example” and do not need to test “TEST”, “TEST1234”, “EXAMPLE”, “Test”, “Test1234” or “Example”. Less passwords need to be tested. It is still highly ineffective though.
You stated if tried test and test1234 it would mean you don’t have to try TEST and Test. Well that is true it only affects people that either have no capital letters in their password or only have the first letter capital. If they have anything other then the first one capital then your brute-force wont work. So it does affect a lot of people it still isn’t as bad as you make it sound.
It works the other way round as well, as far as I understand. A user with the password “Test” or “TEST could also log in with “tEST” or “test”.
Doesn’t this indicate that they store passwords unencrypted or with a reversible encrypyion? Instead of using a hash (non-reversible).
If a hacker steals their database he has all the passwords ready to use…
Maybe they just compute multiple hashes for the variants?
Maybe they convert the user input to lower case and hash that. Or all uppercase.
Assuming an 8 char password under “normal” conditions (0-9;a-z;A-Z,no special keys). 10 numbers + 26 lower case + 26 upper case results in 62 possible chars per char. Which is 8^62.
Ignoring the case results in 10 + 26 (36). This equals 8^36. (please correct that if I’m wrong)
That can be compensated by increasing the length.
It’s security vs. comfort or in this case support or complains.
Yes, I was wrong.
It isn’t [password-length]^[possible chars]. It’s [possible chars]^[password-length]. Which makes it 62^8 versus 36^8 in the above example.
I agree with rvdmast. Storing the original password, if being done by FB, would be very distressing. Eventually, a malicious hacker will compromise FB and all heck will break loose.