Every Facebook User Has Multiple Passwords - gHacks Tech News

Every Facebook User Has Multiple Passwords

Facebook users log in to the social networking site with their username and password. Normally you would expect that the password is unique, and that no one else can access the account by entering a different password in the login prompt on the website.

If you have thought that then you have been wrong, and that for some time now. Emil Protalinski over at ZDNet found out by accident that Facebook appears to accept different password combinations during login.

He noticed the issue after finding out that he was able to log into Facebook with Caps Lock on while entering the password.

One would expect that the login attempt would be turned down, but that is apparently not the case.

Facebook later confirmed that they accept three different forms of a user password:

  • The original password, obviously.
  • The original password with the first letter capitalized. This is apparently only working for mobile devices.
  • The original password with the letter case reversed.

If your password is ghacksIsGreat, Facebook would also accept GHACKSiSgREAT and GhacksIsGreat when connecting from a mobile device.

The reasoning behind that is to avoid too many caps lock conflicts for users logging in to the site.

Numbers on the other hand are always displayed as numbers in the Facebook login prompt, which is why only letters are accepted with case changes. Facebook assumes that the caps lock key has been active if the password is send over with reverse case.

The question is this: Is the acceptance of password variations on Facebook a security issue? While brute force attacks could in theory benefit from the additional password forms that are accepted on Facebook, their impact seems to be neglectful, especially if secure passwords are selected by the site's users.

It is still a security issue, and some users might prefer warnings that the caps lock key is active to the way Facebook is handling the issue right now.

Facebook is not the only company that was criticized for their password security. Amazon was recently in the news as well: Amazon Login May Accept Password Variants

What's your take on this?

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Tige Gibson said on September 14, 2011 at 2:21 am
    Reply

    As someone who does a lot of data entry with CapsLock on, I get annoying password rejections several times a day. The probability of a hacker finding your password but with the case reversed is only faintly different. Instead of 1 in a hundred trillion it will be 3 in a hundred trillion. Big deal.

    1. Martin Brinkmann said on September 14, 2011 at 9:15 am
      Reply

      Actually it is more than that, as you only need to test one variant for all passwords, so you test “test”, “test1234” and “example” and do not need to test “TEST”, “TEST1234”, “EXAMPLE”, “Test”, “Test1234” or “Example”. Less passwords need to be tested. It is still highly ineffective though.

      1. Phillip said on September 14, 2011 at 2:38 pm
        Reply

        Martin
        You stated if tried test and test1234 it would mean you don’t have to try TEST and Test. Well that is true it only affects people that either have no capital letters in their password or only have the first letter capital. If they have anything other then the first one capital then your brute-force wont work. So it does affect a lot of people it still isn’t as bad as you make it sound.

      2. Martin Brinkmann said on September 14, 2011 at 2:51 pm
        Reply

        It works the other way round as well, as far as I understand. A user with the password “Test” or “TEST could also log in with “tEST” or “test”.

  2. rvdmast said on September 14, 2011 at 7:23 am
    Reply

    Doesn’t this indicate that they store passwords unencrypted or with a reversible encrypyion? Instead of using a hash (non-reversible).
    If a hacker steals their database he has all the passwords ready to use…

    1. Martin Brinkmann said on September 14, 2011 at 9:11 am
      Reply

      Maybe they just compute multiple hashes for the variants?

  3. bastik said on September 14, 2011 at 10:06 am
    Reply

    Maybe they convert the user input to lower case and hash that. Or all uppercase.

    Assuming an 8 char password under “normal” conditions (0-9;a-z;A-Z,no special keys). 10 numbers + 26 lower case + 26 upper case results in 62 possible chars per char. Which is 8^62.

    Ignoring the case results in 10 + 26 (36). This equals 8^36. (please correct that if I’m wrong)

    That can be compensated by increasing the length.

    It’s security vs. comfort or in this case support or complains.

    1. bastik said on September 25, 2011 at 1:21 pm
      Reply

      Yes, I was wrong.

      It isn’t [password-length]^[possible chars]. It’s [possible chars]^[password-length]. Which makes it 62^8 versus 36^8 in the above example.

  4. Dan said on September 14, 2011 at 1:40 pm
    Reply

    I agree with rvdmast. Storing the original password, if being done by FB, would be very distressing. Eventually, a malicious hacker will compromise FB and all heck will break loose.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.