If you think the only correct version of your password is the exact letter and letter / symbol sequence you use, you may be in shock. Facebook will accept small variations of your password for your convenience. And it is absolutely safe.
Passwords are easy to suspect
Facebook and other sites as it has a problem. They would like you to use long and complicated passwords, but they are difficult to write. You should use a password manager to take care of it for you, but most do not. And because of these two factors, it is common for you to suspect your password.
What should Facebook do in this way?
Would they deny you input just because your password was a bit off and frustrating you with a second attempt? Or should they admit that the specified password was probably correct but with a font and smooth your trip to cat and baby pictures by ignoring the mistake?
Facebook evaluates mistakes in password
As Alec Muffet, a former software engineer for the security infrastructure team at Facebook Engineering in London, explains Facebook chose the latter. If your password is very close to correcting, they can count it as correct. The rules for this are simple. Facebook will accept an incorrect password if it meets any of the following conditions:
- You have the button lock enabled and the capitalization is reversed.
- You enter an extra character at the beginning or end of a password
- The first character of the password should be lowercase, but you wrote it capitalized
As you can see, all variations are centered on the basic concept of missing your password when writing. In some cases, this may be a problem with auto-correction, such as activating a first letter of a word. If your incorrect password meets these specific rules, you do not know that it was a problem. You will only find yourself logged in.
Let's say your password is "letMeIn." Facebook also accepts "LETmEiN" (because it is a straight-up caps lock reversal) and "LetMeIn" (because it is incorrect capital for the first letter). It will also accept variations like "1letMeIn" and "letMeIn2" because they are correct except for an extra character at the beginning or end. However, it will not accept "LETMEIN", "letmein" or "12LetMeIn" at all.
This process is still secure
That first blush, Facebook's password sound sounds uncertain. But in this case the truth is more complicated. Though it is easy to think of old hacker crime dramas that showed quick brute force guessing on a password in just a few minutes, hacking doesn't work at all at all. Brute-compelling unknown passwords exist, but it is very different from what TV means. As xkcd demonstrates well, as the length of a password increases, the time to crack it also increases exponentially. Adding complexity helps, but not as much as you might think.
So one of the scenarios that Facebook allows, an extra character at the beginning or end of the password, would be even more difficult to brute force. Hackers would already need to have the correct password before making it to the password plus an additional character.
Of particular interest is the Caps Lock scenario. I tested this by manually typing my password in notebooks, reversing the case and pasting that result into Facebook. It denied that password. Then I turned on the kep lock and wrote my password as if the lid was turned off and thus reversed the case. That attempt succeeded, and I was logged in. Facebook not only checks what the password is but how you enter it. Brute Force does not help in that scenario, but simulate cap lock, which would be harder than just referring to the actual password.
More importantly, broken power methods are not the primary method of accessing social networks and other accounts. Social technology and password dump are much easier to use. If you have questions about password recovery, it is a decent chance that at least some of the answers are publicly available information. If your recovery issue is about your birthplace, mother's mother or school mascot, then it is possible to track the answer down. Then a bad actor can reset your password, which means you don't have to guess or decide the password altogether.
Unfortunately, many still use the same email and password combination on each site that requires login information. You do not have to look far to find instance by the instance of data violations. If you use the same email and password combination in more than one place, and have been for several years, your passwords are vulnerability, not Facebook's policy.
If you are not sure if you have been a victim of a crime, go to hasibeenpwned.com and check if your password has been stolen. Chances are you have had at least one account that is compromised somewhere.
You should always secure your accounts
If you are still concerned that this policy is leaving you vulnerable, there are steps you can take. The first step is to stop using the same password for each site. Instead, you get a password manager and let it generate unique long passwords for every other site you use. When the next time you see that a website you used has been compromised, you can only change the only password and feel safe and know that this known password does not make the hackers any good.
Once you have hardened the password, turn on two-factor authentication on any site. Facebook offers two-factor authentication, so you should also set it there as well. The best two-factor authentication is dependent on an app with your smartphone that generates a new code often or a physical key that you agree with. While SMS-based two-factor authentication is better than nothing, it is still vulnerable to social engineering techniques. So, if you can trust an authentication app or a physical key, you should. And have a backup in place if something happens to your phone or key.
With this combination, your account is much safer regardless of Facebook's password policy. You should at least use a password manager and unique password, but using them in combination with two-factor authentication is better.
Don't panic; Enjoy the convenience
When it comes to Facebook's ransom policy, it's easy to worry that it's less secure, but the reality is the benefits outweigh the risks. Security is a balance sheet. The more you lock down a system, the less it is access. But when you add more convenient access, you lose security. The trick gets the right amount both to protect your users without frustrating them. Facebook error on the side of usability here, and that's probably an acceptable decision.