A few days ago, I was surprised to see that an old password of mine was working again. The present password is the old password truncated by one.
Passwords appended by any single character are now valid. Apparently, FB passwords aren't case sensitive either.
Do you think this poses a security risk?
Yes, this would pose a security risk, though it would probably be regarded as a very low risk. It is worth noting that Facebook still implements other password policies such as access to email, security questions, server side authentication mechanisms and other various things. That being said, it does still pose a risk. Often times when software companies store old accounts, and have their password policies continuously updated over time to match current security standards. If the companies are storing accounts that can be used for retrieval at a later date, the old accounts may not be up-to-date with current password policy recommendations. This is surprisingly not too unusual.
As well, Facebook implements 'features' like these to increase user experience. See: http://www.zdnet.com/article/facebook-passwords-are-not-case-sensitive-update/
The security risk still present is because it would open up a small attack vector that would allow an attacker to access an account faster than they could if policies aforementioned are not factored in. For example, if your password 5 years ago on Facebook was "Password10", and this account came back to life and did not require an update to the account before accessing the content, it would be easier to access an account by means of brute-force and others. As previously stated, the risk is very low compared to modern security policies such as lockouts, etc. Though, some security auditing companies and automated scanners might say that it is a low risk.
