Sep 14, 2011

Every Facebook User Has Multiple Passwords

Facebook users log in to the social networking site with their username and password. Normally you would expect that the password is unique, and that no one else could access the account by entering a different password in the login prompt on the website.
If you have thought that then you have been wrong, and that for some time now.Emil Protalinski over at ZDNet found out by accident that Facebook appears to accept different password combinations during login. He noticed the issue after finding out that he was able to log into Facebook with Caps Lock on while entering the password.
One would expect that the login attempt would be turned down, but that is apparently not the case.
Facebook later confirmed that they accept three different forms of a user password:
  • The original password, obviously.
  • The original password with the first letter capitalized. This is apparently only working for mobile devices.
  • The original password with the letter case reversed.
If your password is ghacksIsGreat, Facebook would also accept GHACKSiSgREAT and GhacksIsGreat when connecting from a mobile device.
The reasoning behind that is to avoid to many caps lock conflicts for users logging in to the site. Numbers on the other hand are always displayed as numbers in the Facebook login prompt, which is why only letters are accepted with case changes. Facebook assumes that the caps lock key has been active if the password is send over with reverse case.
The question is this: Is the acceptance of password variations on Facebook a security issue? While brute force attacks could in theory benefit from the additional password forms that are accepted on Facebook, their impact seems to be neglectful, especially if secure passwords are selected by the site’s users.
It is still a security issue, and some users might prefer warnings that the caps lock key is active to the way Facebook is handling the issue right now.
Facebook is not the only company that was criticized for their password security. Amazon was recently in the news as well: Amazon Login May Accept Password Variants


Post a Comment