

Ask HN: How does Facebook detect slight misspelling of password? - sshrin

I just tried logging into FB and I inadvertently misspelled my password. FB detected this and told me that my password was slightly off (this isn't the exact error message but is representative).<p>How do they know? I use BCrypt on my sites and I wonder how such a message can be generated if you haven't stored the plain text password? One way could be to also store some other hash that makes computing the edit distance easy but wouldn't that  negate the problem BCrypt solves in the first place (namely making it hard to brute force the correct password)?
======
tlammens
I really hope they don't do this... Makes it even easier for an attacker to
get into an account.

What was the exact error message, instead of your interpretation of the error
message?

------
aj
I tried reproducing the behavior you describe but with various combinations of
slightly off passwords never received the error message you describe.

~~~
zokiboy
Same here.

------
mathgladiator
They could just compute every possible edit distance of one (or some obvious
mis-spellings or errors like case) and see if that is your password.

