Facebook users log in to the social networking site with their username and password. Normally you would expect that the password is unique, and that no one else can access the account by entering a different password in the login prompt on the website.
If you have thought that then you have been wrong, and that for some time now. Emil Protalinski over at ZDNet found out by accident that Facebook appears to accept different password combinations during login.
He noticed the issue after finding out that he was able to log into Facebook with Caps Lock on while entering the password.
One would expect that the login attempt would be turned down, but that is apparently not the case.
Facebook later confirmed that they accept three different forms of a user password:
If your password is ghacksIsGreat, Facebook would also accept GHACKSiSgREAT and GhacksIsGreat when connecting from a mobile device.
The reasoning behind that is to avoid too many caps lock conflicts for users logging in to the site.
Numbers on the other hand are always displayed as numbers in the Facebook login prompt, which is why only letters are accepted with case changes. Facebook assumes that the caps lock key has been active if the password is send over with reverse case.
The question is this: Is the acceptance of password variations on Facebook a security issue? While brute force attacks could in theory benefit from the additional password forms that are accepted on Facebook, their impact seems to be neglectful, especially if secure passwords are selected by the site's users.
It is still a security issue, and some users might prefer warnings that the caps lock key is active to the way Facebook is handling the issue right now.
Facebook is not the only company that was criticized for their password security. Amazon was recently in the news as well: Amazon Login May Accept Password Variants
What's your take on this?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.