Before your read this blog go… log on to your facebook account with your keyboard caps lock ON.
Holy cow! You can login!
Now try something different. If your first character of password is in small letters, login with first letter capitalized. You will see that you can still login.
Turns out that Facebook’s passwords are somewhat case insensitive. What am I talking about here? Well, if your password is “helloWORLD”, you can login with at least following 3 passwords:
1. helloWORLD
2. HelloWORLD
3. HELLOworld
#2 works only if you login from a mobile device. Facebook thinks it is a feature to allow people to login easily even if they make minor mistakes. For example mobile device text entries often capitalize first letter, so the case of first letter is ignored by Facebook. If your caps lock is ON, Facebook allows each letter’s case to be inverted and allows you to login.
In my view it is a BAD idea to allow this. Here, some implicit assumptions are made e.g. all keyboards in the world behave alike i.e. with caps-lock ON, a-z letters become A-Z and rest of keyboard is unaffected. What if some foreign language keyboard inverts some other characters with caps lock ON? Will Facebook allow login then. What if password was created with caps lock being ON accidentally w/o user’s knowledge, will user be able to login later when caps lock is OFF given that character inversion may not work for all characters!
Overall, making a corner case easy might create several other corner cases.
Let’s wear security hat now. Well, if earlier there was 1 in 100 chance of cracking my password, now it is 3 in 100. That means I am 3 fold less secure from being hacked into my Facebook account. What about caps lock ON on a mobile device? Did Facebook handle the case where your caps lock is ON as well as first character is capitalized? Could there be more cases like allowing first capitalized letter being typed with small letter? Typically developers end up messing up some corner cases here and open an attack vector.
My sense of insecurity arises from the fact that several people use passwords which hold some association to their lives like their pet’s name, place of birth, etc. And one way they might evade easy discovery of their password is to use these common phrases, but change the case of first letter, or swap case of a phrase: for example from “grand-teton” to “Grand-teton” hoping it to have less chances of discovery. Bob who is aware of possible phrases his friend Alice likes, can try these without paying much attention to case and still crack Alice’s password!
Recommendation: Make your Facebook passwords stronger so that they cannot be cracked by case-insensitivity related slackness of Facebook.
For details of how this was found and Facebook’s reactions read: http://www.zdnet.com/blog/facebook/facebook-passwords-are-not-case-sensitive-update/3612?tag=nl.e589