Why Does Facebook Accept Passwords That Are Wrong?
Some of you probably know how unpleasant forgetting a password is. There is, however, one thing that is even more frustrating – seeing the 'Incorrect Password' dialog when you're sure that the password you're entering is, in fact, correct. Facebook has decided to relieve you of some of this stress.
It's not a new feature. The world's biggest social network has been doing it for a while, but a couple of weeks ago, a response from Facebook's support team got publicly shared and kicked up a bit of a storm.
Facebook will let you into your account even with a password that, from a technical point of view, is wrong. The idea is that if you mistype your password for some reason, Facebook will see that what you're entering is close to the original, it will realize that it's really you, and it will let you in.
Ironically, most of the discussion is happening on Twitter, and it all started with the following tweet:
Update: did anyone know this? pic.twitter.com/sASr6JWJUI
— Hawkotron (@Hawkotron) January 23, 2019
Quite a few people reached for the pitchforks and torches upon hearing this which shouldn't really be a surprise considering Facebook's recent series of privacy blunders. That being said, the "Facebook is evil" discourse might just be fogging some people's judgment. Let's take a closer look at what Facebook does, why it does it, and what sort of risks this brings.
Facebook password storage concerns
Before we get to the question of whether or not successfully authenticating people with permutations of the real password is the right thing to do, let's have a look at the technical aspects, and, more specifically, at what this feature means for Facebook's password storing mechanisms.
As many of you know, the only secure way of storing passwords is by hashing and salting them. Many people started doubting whether Facebook is doing this, and with good reason. The whole point of securely hashing the passwords is that no one, not even Facebook, can see them. Logic dictates that if it allows permutations of the real password, it must somehow be able to see it.
Facebook itself has put out no official information about its password storing habits, but experts seem convinced that the social media behemoth is not saving passwords insecurely. Some of them reckon that Facebook saves several hashes (the real password and the allowed permutations) per user. Others think that when it sees a version of your password, it strips it down to what it thinks you wanted to enter, hashes it, and compares the hash value to what it has stored in its database. But how does it do that?
Facebook only allows certain permutations of your password
The idea isn't to let you in as soon as you enter something that is remotely similar to your password. In fact, it only works in a few selected scenarios.
For example, keyboard applications on mobile devices often capitalize the first letter of a sentence which could be useful in a number of cases. When you're entering passwords, however, these apps will turn "mysecurepassword" into "Mysecurepassword", which, according to many online service providers, is a completely different password. To save you the confusion, Facebook will let you in without any additional hassle.
It will also do it if you've forgotten to turn the Caps Lock off ("MYSECUREPASSWORD"). Accidental case inversion in passwords with both uppercase and lowercase letters is also accounted for meaning that if your password is "MySecurePassword", you will be able to access your account using "mYsECUREpASSWORD". Finally, Facebook will let you in in case of a rogue character before or after your password (e.g., "1mysecurepassword", "mysecurepassword1", etc.).
Security vs. usability – the never-ending battle
It's not difficult to see why this design decision is so controversial. Math tells us that allowing several different variations of the same password ruins its https://www.cyclonis.com/what-is-password-entropy-how-use-own-benefit/ entropy. From a purely statistical point of view, if you double the number of passwords that can open an account, you double the chances of hackers breaking in.
At the same time, if Facebook is to survive, it needs people to log in and interact with the network. Frustrating them is the last thing it wants. It knows that this authentication feature does bring certain risks, but it's willing to accept them. Alec Muffet, a security specialist who used to work for Facebook, has actually discussed why giving users "some slack" is a good call. You can listen through his arguments and decide for yourself whether you agree with them.
Your main focus should be on the strength of your password, though. If you protect your Facebook account with a unique password that is reasonably long and hard to guess, the social network's leniency towards people who forget the Caps Lock on will have no practical effect on your security.
With a password management tool like the Cyclonis Password Manager, you won't be faced with the problem of forgetting or mistyping passwords because it will do it all for you. To learn more about how it works, click here.