48

Recently I logged into my Facebook account and then noticed that my caps lock was on. So I tried to log in again with and without capslock on. I got in both times. Then I tried to log in with the first letter of my password in uppercase and the rest in lowercase. Again, I got in. How is this even possible? Does Facebook keep a cookie for the password or something?

TRiG
  • 610
  • 5
  • 14

1 Answers1

57

This is simply Facebook trying to provide a better user experience for those users who may have Caps Lock enabled, or whose devices automatically capitalize the first letter of the password.

I don't think there are any cookies per your question. It is likely that the password hashing and storage is as standard as you would expect. The alternate passwords are probably generated from the password submitted, via the login form, and not stored as alternates on the back end.

It appears that they are only flipping a-zA-Z, and not a mix of incorrect case. They are also checking against a capitalzied first character as pointed out by PwdRsch in the comments.

While this may increase the online brute force attack surface, if you use a password of high entropy, it's pretty unlikely that this would prove to be much of a security risk in my opinion.

i.e:

Password: aBcDeF123
Works:    AbCdEf123  // Flipped Case
Works:    ABcDeF123  // Caps First Char
Doesnt:   ABCDEF123  // Mixed Case
Doesnt:   AbCdEf!@#  // Shifted Numbers
user137369
  • 713
  • 1
  • 5
  • 9
David Houde
  • 5,524
  • 1
  • 28
  • 22