Facebook Fudges Your Password for Your Convenience

If you think the only correct version of your password is the exact capitalization and letter/symbol sequence you use, you may be in a shock. Facebook will accept slight variations of your password, for your convenience. And it’s perfectly safe.

Passwords Are Easy To Mistype

Facebook and other sites like it have a problem. They’d like you to use long and complicated passwords, but those are hard to type. You should be using a password manager to take care of that for you, but most people don’t. And because of those two factors, it’s common to mistype your password.

At that point what should Facebook do?

Should they deny you entry just because your password was slightly off, and frustrate you with a second attempt? Or should they recognize that the provided password was likely correct but with a typo and smooth your journey to cat gifs and baby pictures by ignoring the mistake?

Facebook Evaluates Mistakes in Passwords

As Alec Muffet, a former software engineer for the security infrastructure team at Facebook Engineering in London explains, Facebook chose the latter. If your password is very close to correct, they may count it as accurate. The rules for this are straightforward. Facebook will accept an incorrect password if it meets any of these conditions:

  • You have caps lock turned on, and the capitalizations are reversed.
  • You enter an extra character at the beginning or end of a password
  • The first character of the password should be lowercase, but you typed it capitalized

As you can see, these variations are all centered around the basic concept of slightly missing your password when typing. In some cases, this may be an issue of autocorrect, like the first letter of a word being capitalized. If your mistyped password meets these specific rules, you won’t know there was a problem—you’ll just find yourself logged in.

For example, let’s say your password is “letMeIn.” Facebook will also accept “LETmEiN” (because that’s a straight-up caps lock reversal) and “LetMeIn” (because that’s incorrect capital for the first letter). It will also accept variations like “1letMeIn” and “letMeIn2” because those are correct except for an additional character at the beginning or end. However, it won’t accept “LETMEIN”, “letmein”, or “12LetMeIn” at all.

This Process is Still Secure

At first blush, Facebook’s password lenience sounds insecure. But in this case, the truth is more complicated. While it’s easy to think of old hacker crime dramas that showed quick brute force guessing at a password in mere minutes, hacking doesn’t work that way at all. Brute forcing unknown passwords does exist, but it’s very different than TV implies. As xkcd famously demonstrates, as the length of a password increases, the time to crack it also increases exponentially. Adding complexity helps, but not as much as you might think.

So one of the scenarios that Facebook allows, an extra character at the beginning or the end of the password, would be even harder to brute force. Hackers would already need to have the correct password before they made it to the password plus an extra character.

Of particular interest is the caps lock scenario. I tested this by first manually typing my password into notepad, reversing the case, then pasting that result into Facebook. It denied that password. I then turned on caps lock and typed my password as though cap lock were off, thus reversing the case. That attempt was successful, and I was logged in. Facebook is not only checking what the password is but how you enter it. Brute Force won’t help in that scenario, short of simulating caps lock, which would be more difficult than just aiming for the actual password.

Update: As information security consultant Paul Moore points out on Twitter, Facebook is mostly likely only storing your original password (properly hashed and salted) and not the variations of your password. When you submit a password to log in, it’s checked against your original password. If it doesn’t match, Facebook runs your submitted password through these variations. For instance, if your Caps Lock is on, Facebook takes your submitted password, reverses the capitalization of the letters, and tries again. If that doesn’t work, Facebook tries again with the next scenario. Essentially, Facebook is doing what you would have done upon getting a “wrong password” message—checking for an accidental error in the typed password and correcting it. That makes the entire process less frustrating for you. This doesn’t decrease security, because some idea of the correct password is still needed and the accepted variations are narrow.

More importantly, brute force methods aren’t the primary method to gain access to social networks and other accounts. Social engineering and password dumps are much simpler to use. If you have password reset questions, there’s a decent chance at least some of the answers are publically accessible information. If your reset question is about your birthplace, mother’s maiden name, or high school mascot, then it’s possible to track the answer down. At that point, a bad-actor can reset your password, making any need to guess or determine the password itself entirely moot.

Unfortunately, many people are still using the same email and password combination at every site that requires login credentials. You don’t have to look far to find instance after instance of data breaches. If you’re using the same email and password combination at more than one place, and have been for years, then your passwords are the vulnerability, not Facebook’s policies.

If you aren’t sure whether you’ve been the victim of a breach, go to haveibeenpwned.com and check to see if your password has been stolen. Chances are you’ve had at least some account compromised somewhere.

You Should Always Secure Your Accounts

If you’re still worried that this policy leaves you vulnerable, there are steps you can take. The first step is to stop using the same password for every site. Instead, get a password manager and let it generate unique long passwords for every different site you use. Then, the next time you see that a website you used has been compromised, you can change just that one password and feel safe knowing that this one known password won’t do the hackers any good.

After you harden your passwords, turn on two-factor authentication at any site that offers it. Facebook does offer two-factor authentication, so you should set it up there as well. The best two-factor authentication relies on an app with your smartphone that generates a new code frequently or a physical key you keep with you. While SMS-based two-factor authentication is better than nothing, it’s still vulnerable to social engineering techniques. So if you can rely on an authenticator app or a physical key, you should. And have a backup in place in case something happens with your phone or key.

With this combination, your account is far more secure regardless of Facebook’s password policies. You should at the very least use a password manager and unique passwords, but using those in combination with two-factor authentication is better.

Don’t Panic; Enjoy the Convenience

As for Facebook’s password policy, it’s easy to worry that it’s less secure, but the reality is the benefits outweigh the risks. Security is a balancing act. The more you lock down a system, the less convenient it is to access. But as you add more convenient access, you lose security. The trick is getting the right amounts of both to protect your users without frustrating them. Facebook erred on the side of user ease here, and that’s probably an acceptable decision.

Leave a Reply

Your email address will not be published. Required fields are marked *