Recently I logged into my Facebook account and then noticed that my caps lock was on. So I tried to log in again with and without capslock on. I got in both times. Then I tried to log in with the first letter of my password in uppercase and the rest in lowercase. Again, I got in. How is this even possible? Does Facebook keep a cookie for the password or something?
Asked
Active
Viewed 9,231 times
48
-
I cannot recreate this. – RoraΖ Sep 23 '14 at 15:14
-
Try to log in to your facebook using your password as lowercase and uppercase, will get in with both of them. – StuckBetweenTrees Sep 23 '14 at 15:21
-
@StuckBetweenTrees No I can't. – RoraΖ Sep 23 '14 at 15:26
-
3Related: http://webapps.stackexchange.com/questions/26301/facebook-accepts-more-than-one-password – rink.attendant.6 Sep 23 '14 at 15:40
1 Answers
57
This is simply Facebook trying to provide a better user experience for those users who may have Caps Lock enabled, or whose devices automatically capitalize the first letter of the password.
I don't think there are any cookies per your question. It is likely that the password hashing and storage is as standard as you would expect. The alternate passwords are probably generated from the password submitted, via the login form, and not stored as alternates on the back end.
It appears that they are only flipping a-zA-Z, and not a mix of incorrect case. They are also checking against a capitalzied first character as pointed out by PwdRsch in the comments.
While this may increase the online brute force attack surface, if you use a password of high entropy, it's pretty unlikely that this would prove to be much of a security risk in my opinion.
i.e:
Password: aBcDeF123
Works: AbCdEf123 // Flipped Case
Works: ABcDeF123 // Caps First Char
Doesnt: ABCDEF123 // Mixed Case
Doesnt: AbCdEf!@# // Shifted Numbers
user137369
- 713
- 5
- 9
David Houde
- 5,504
- 1
- 27
- 22
-
13This is correct and it has been this way for years. There is a third scenario, which is where Facebook [will accept your password with the first letter capitalized](http://www.zdnet.com/blog/facebook/facebook-passwords-are-not-case-sensitive-update/3612) even if it isn't normally. – PwdRsch Sep 23 '14 at 15:47
-
7
-
2I can't find anything, but I don't think the server side authentication process is something that needs to be publicly documented. – David Houde Sep 23 '14 at 18:35
-
1I read a post of a Facebook employee that explained that Facebook does actually store variations of the password hash to prevent reusing similar passwords (for example simply adding a 2). I'll try to find it. – Christian Strempfer Sep 23 '14 at 19:26
-
4Ah sorry, they don't store them, [they generate similar passwords on password change](http://security.stackexchange.com/questions/53481/does-facebook-store-plain-text-passwords#comment84577_53483) to check if one matches with the old one. – Christian Strempfer Sep 23 '14 at 19:37
-
2@Chris I can remember some fb employee replied to a similar thread. However, I don't see any reason to store variations of the password in hash form. When changing password, they can try to modify the new password with some variations and see if any of them matches their hash in file. – AKS Sep 24 '14 at 08:40