

Passwords For Your Facebook Account - heroic
http://www.labnol.org/internet/facebook-account-passwords/21241/

======
TamDenholm
Ignoring the security implications for a moment, this is a very nice UX
enhancement, I do imagine that it would eliminate the vast majority of the
invalid password attempts thus making people's experience much better.

Now, the question is, just how much security are you losing by allowing this?
Assuming the passwords are stored correctly my guess would be that passwords
that are considered secure already would only be marginally less secure
because of this, however non secure passwords (common ones) are a hell of a
lot less secure but only in a relative context, they're still just as insecure
as the original insecure password.

I'm not sure I articulated this properly so if I didn't let me know.

~~~
mistercow
I would also argue that the security implications of this are largely
positive. It removes less than two bits of entropy even from a randomly
generated password, but it means that users reset their passwords less often,
and I would guess that when users reset a "forgotten" password, they usually
choose something weaker (and thus more memorable).

------
Anm
I'd like to note, their assumptions on caps lock does not apply to Mac. If you
hold shift while caps lock on a mac, it still gives uppercase.

Of course, if they implemented this, it would turn it into a case insensitive
password with much bigger security implications. So, this isn't a criticism of
their decision. Only an observation.

------
tomkinstinch
This raises several questions:

Have they always done this, or is this new?

For those of us who haven't changed our Facebook password in years, does this
mean that we don't get this option, or do we? And if we do, is Facebook
storing our passwords in plaintext?

~~~
heroic
They dont need to store your pasword in plaintext for this, but it does raise
a security concern. 3 times the chances to have your password guessed by brute
force!

~~~
FaceKicker
It's actually much more than 3 times the chance; this rule allows you to
restrict your brute force search to only check passwords with no uppercase
characters (or no lowercase characters) which reduces the key space for a
given maximum password length quite a bit. (e.g., if there were normally 100
characters allowed and n is the max length, taking out 26 characters reduces
the search space from 100^n to 74^n - not that an intelligent password cracker
would ever try to iterate straight through the actual space of all allowable
passwords)

~~~
eshrews
Read the article again, its not making the passwords case insensitive, merely
allowing you to invert the case. i.e. if your password was "aSdf" neither
"ASDF" nor "asdf" would work.

~~~
FaceKicker
Well I feel dumb, sorry. I thought he meant original casing + all lowercase
version + all uppercase version were all acceptable (which isn't the same as
case insensitive but for the purposes of cracking it is just as bad).

~~~
tlrobinson
If you don't use Windows you definitely shouldn't feel dumb: if caps lock is
enabled on Windows shift will cause you to type a lower case letter, thus
inverting what you intended to type rather than uppercasing everything.

I was confused until I realized the caps lock case only applies to Windows
users.

~~~
FaceKicker
I've been using OSX as my primary OS for about a year (other than using Linux
exclusively on every machine I SSH into for dev), but I just found out from
your post that caps lock + shift _doesn't_ make things lowercase on Mac. So,
nope, I have no excuses :P

------
davweb
There's a nice article about this on the AgileBits blog [1]. In summary they
say it's a net gain for security because trying variations on a supplied
password doesn't help an attack much and reducing the number of password
resets is a positive from a security perspective.

[1] [http://blog.agilebits.com/2011/09/13/facebook-and-caps-
lock-...](http://blog.agilebits.com/2011/09/13/facebook-and-caps-lock-
unintuitive-security/)

------
hafabnew
While obviously Facebook will be storing this as hash(normal),
hash(upper(normal)), and hash(lower(normal)), there's an interesting security
benefit to storing this in 3 columns, 'password1', 'password2' and
'password3'. The trick then is to randomise which hash gets stored in which
column, i.e., password1 doesn't always correspond to hash(normal).

The slight benefit of this being that if your database is leaked, then the
attacker won't have his/her brute forcing job made easier by knowing that the
password3 hash only contains lowercase alphanumeric characters.

Edit: Apparently I suck at reading, it's not upper() and lower(). Woops :).
Well, if any other sites do store upper() and lower() variations, I wonder if
they use this idea?

~~~
rplnt
I don't think they store three hashes though. Just the original one and they
check against that. Only if that fails they proceed to verify other variants.
There are only two - first letter uppercase (presumably for stupid phones) and
inverse password (for caps lock on PCs). Both of these variants are reversible
(i.e. you can revert the change to get original the password).

------
chengiz
You can also login with your profile name, which I didnt know until very
recently when I mistakenly dropped the @domain.com and was initially surprised
to find it worked.

~~~
why-el
That only works if you actually change your profile name to something
meaningful like facebook.com/yourname. A lot of people don't do that (they
have an autogenerated id) and in that case the email is mandatory. I should
also note that you can only change your profile name, i.e.
facebook.com/profilename, twice. That is, going from something like
facebook.com/profile.php?id=34534643 to facebook.com/profileName1 to
facebook.com/profilename2. After that Facebook won't allow you, for some
reason.

------
Dave_Rosenthal
Also, I just noticed this evening that Facebook explicitly notifies you of
incorrectly using your old password. Not sure how long far back they go to
check.

------
pazimzadeh
The question is, what IS the value of the true password? How do you define
"something and its inverse?"

~~~
rplnt
I don't think I follow. What is the question?

(To get inverse password you simply reverse the case on all letters.)

~~~
pazimzadeh
I mean that while facebook prompts you for a password in a single field, if
you enter "passWORD" the true value of your password is both "passWORD" and
"PASSword", but there's no way to express that idea in the english language.
If someone asked you what your password was, what would you say if you wanted
to be completely accurate?

It's just a dumb philosophical thought I had.

------
aneth
One interesting observation from the comments:

On a Mac, shift with caps-lock on doesn't toggle to lower-case, so they would
need to store a fourth version for this to work.

OPERATI@NGERONIMO

Overall it's a clever UX hack, though I worry they came to it by observing
invalid password attempts which seems slightly outside of appropriate,
although it doesn't particularly bother me in this case.

~~~
MartinCron
That would make all passwords essentially case-insensitive (all uppercase
would work) and that would make it much easier to brute force than the
inverted version.

~~~
aneth
True, and a good reason not to implement this solution.

------
dkersten
My capslock key is backspace, so this feature is useless to me.

