Sep 19, 2011

facebook password and CAPS Lock

Recently, I discovered that if your facebook password is PasSwoRd, you would be able to login with PasSwoRd and pASsWOrD as well. 

That doesn't mean that the password is not case sensitive. The passwords are case sensitive, but at the same time, the case can be toggled. My first thought was that it is not good from the security point of view. But later on, I found that it is actually a good thing for the user.

Many a times, when the account is first created, the user is not aware whether the CAPS Lock was ON or OFF. He couldn't notice that either, since passwords are masked. Now I don't know whether it is a bug, but presumably, facebook has coded their system in such a way that the login system is indifferent on the status of CAPS Lock button. So if in the example above, your actual facebook password is PasSwoRd, but you are not aware that CAPS Lock is ON and as a result, you enter your password as pASsWOrD, facebook will first check the entered password and if it doesn't match, then it will internally check the toggled password and if it matches, the user would be able to login. But since the passwords are case sensitive, it won't allow the logins with "password" or "PASSWORD". If the password contains numbers, the numbers are to be entered as they are in the original password.

Apparently, facebook accepts the following 3 passwords:

1)  The original password
2)  Original password with case toggled for all the characters
3) Original password, with case toggled only for the first character (while logging in from mobile devices, since some devices have the first character in upper case by default)

Now as long as the password is case sensitive, I don't think that it is compromising even a bit on user's security.

Lets consider the two main types of attacks, offline and online.

Offline Attack: Suppose any hacker gets the access to facebook's encrypted database of passwords, and if he can decrypt the passwords, then he can easily try the same password with CAPS Lock set as ON and OFF. Thats a fairly common guess. So there is no compromise on security due to this feature. 

Online Attack: facebook has limit on the number of failed password attempts and after this limit, it will ask for some alternative login credentials. So,  unless the hacker is very lucky, this feature will get activated before he could try the toggled version of his guess, if he is trying brute force attack. So again, this feature doesn't harm. 

Because of this feature, facebook must have limited the number of password reset requests, since most of such requests are because of ignoring the status of CAPS Lock button. And this is again good from the user point of view since password reset mails are more vulnerable to attacks and many email systems  or email clients are not that secure. 

All in all, if you are logging into facebook, do not bother about whether your CAPS Lock is ON or OFF. Your online security is not jeopardised because of this. You are completely safe, if follow the other password security norms. 

No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...