

Ethics of storing incorrect login attempt credentials? - refucktoring
http://refucktoring.com/?p=207

======
michaelt
Most failed login attempts are probably the user's correct password with a
letter or two transposed or missing. And a competent, ethical developer
wouldn't store the user's correct password except salted and hashed using an
appropriate algorithm (like bcrypt).

Why would you store the one-character-off password with any less protection?

Given that one would only store incorrect login attempts in hashed form, I'm
having trouble thinking of any useful analytics you could perform on them.

~~~
refucktoring
Of course ethical devs would store like that. Ethics kinda goes out the window
when, as a company, you get two choices: play ball with the local law or take
your business out of the country.

My point was that, due to human error, sometimes account credentials from one
network end up in another network's login prompt.

I do not find it improbable that a network like Facebook could br ordered to
capture all invalid login attempts on certain "red-flagged" accounts, that
would be pretty bad. A bit like subconsciously-volunteered phishing, but as
the user you wouldn't think twice about it (and "burn" that other password
from everywhere else you used it), no matter how paranoid you are.

------
luchen
> *How do I know? Try a slight misspelling of your password and see what
> happens. Not a hash, unless they’re precomputing the hashes of all possible
> misspellings you’d do…

Facebook doesn't store passwords in plaintext. See this Quora response from an
engineer: [http://www.quora.com/Facebook-1/Is-Facebooks-slight-
mispelli...](http://www.quora.com/Facebook-1/Is-Facebooks-slight-mispelling-
password-feature-secure/answer/Cullen-Walsh)

~~~
refucktoring
I stand corrected, I updated the post.

------
captn3m0
I tried entering mis-spellings of my current facebook password, and facebook
gave me nothing other than telling me that it was incorrect. I'm pretty sure
that something as huge as FB wouldn't be storing passwords in plain-text. They
definitely keep a hash of your previous (n=?) passwords, though.

~~~
moocowduckquack
As far as I am aware if you have the caps lock on, it doesn't care, so caps
inverted passwords still work. I'm not sure about other variations.

~~~
eloisius
That's a lot easier than telling you about minor typos in your password. You
just store two hashes: one of the password and one of its inverted case.

~~~
Dylan16807
Why would you store two versions? Just hash the password you were given twice.

~~~
eloisius
That's what I said: hash both the password and it's case-inversion. Did you
mean something else?

~~~
refucktoring
I think: hash the original version only, then when trying to log in, try both
case-as-is and then flipped case

~~~
eloisius
Ah. Duh.

------
krapp
I would be less worried about the ethics of a company stealing your login
credentials (which, really, if they wanted to they could do anyway) as of the
control they attempt to execute over your account and any social media or real
world identifying data they require from you.

------
jongraehl
Yes - it would be reckless to store users' login attempts (correct or
incorrect) in the clear, no matter the purpose. And I've never heard of anyone
doing that - it's pretty self-evident.

