

FaceBook's login hack for people who leave CAPS LOCK on. - woodall
http://www.reddit.com/r/netsec/comments/ke7lh/facebook_passwords_not_casesensitive_if_fully/

======
sdkmvx
This reminds me of the old UNIX login hack. Because some terminals did not
have lowercase capabilities, older versions of login would lowercase
everything (including to the shell after login) if you typed your username in
all caps. This wouldn't work if you had any capital letters in your password,
but that was unlikely in the 1970s anyway.

------
pkamb
If I recall correctly, OS X doesn't do the "Caps-Lock + Shift = lowercase"
thing that Windows does. So if you have caps-lock on, every letter will be
capitalized regardless of holding shift.

Does that allow you to log-in with this 'hack'? It wouldn't produce the
"opposite caps state" string that Windows creates.

------
smackfu
The only caveat with this is that it makes the "# of password retries allowed"
number kind of fuzzy. An attackers gets two or three tries behind the scenes
for every one they try. Like if they figure you used your cat's name, they get
to try "FLUFFY" and "fluffy" and possibly "Fluffy" all at once.

------
untog
This must be intentional. I can see how it makes sense, but IIRC there is a
way to detect whether a user has caps lock on using JS, so that might be a
better way forward.

Either way, it's not a ton of use unless you know the person's password in the
first place.

~~~
Me1000
There's no way to detect if the user's caps lock is turned on in JS

~~~
Terretta
Am mobile so can't check if it still does, but Apple's me.com login page used
to inform you if caps lock was on, using the method in the article linked to
from sibling comment's StackOverflow link:

[http://dougalmatthews.com/articles/2008/jul/2/javascript-
det...](http://dougalmatthews.com/articles/2008/jul/2/javascript-detecting-
caps-lock/)

------
Me1000
Not really a hack, but a nifty UX feature.

