This is a well-understood feature. Facebook does the same thing[0]. Quote:<p>Facebook actually accepts three forms of your password:<p>* Your original password.<p>* Your original password with the first letter capitalized. This is only for mobile devices, which sometimes capitalize the first character of a word.<p>* Your original password with the case reversed, for those with a caps lock key on.<p>[0]: <a href="https://www.zdnet.com/article/facebook-passwords-are-not-case-sensitive-update/" rel="nofollow">https://www.zdnet.com/article/facebook-passwords-are-not-cas...</a>
Probably a feature, not a bug.<p>Most mobile keyboards automatically capitalize the first character by default.<p>With the ephemeral nature of password characters upon entry; it would be easy to miss the capitalization, annoying users.<p>This one small trick probably prevents millions of people from becoming frustrated with Google every single day.<p>And I'll bet it only works one way.<p>If your password was "ABCD", then by my logic "aBCD" should work.<p>But if your password was "abcd", then "Abcd" should not work.
I posted this earlier:<p><a href="https://news.ycombinator.com/item?id=21862160" rel="nofollow">https://news.ycombinator.com/item?id=21862160</a><p>There's a much more evil prank than that:<p>A user was having a really bizarre problem: They could log in when they were sitting down in a seat in front of the keyboard, but when they were standing in front of the keyboard, their password didn't work! The problem happened every time, so they called for support, who finally figured it out after watching them demonstrate the problem many times:<p>It turned out that some joker had rearranged the numbers keys on the keyboard, so they were ordered "0123456789" instead of "1234567890". And the user's password had a digit in it. When the user was sitting down comfortably in front of the keyboard, they looked at the screen while they touch-typed their password, and were able to log in. But when they were standing in front of the computer, they looked at the keyboard and pressed the numbers they saw, which were wrong!
I just want a phone number input box that will strip dashes for me.<p>Many go to the effort of having an error message pop up that says "no dashes or parentheses allowed." So they went to the effort of writing special case code to notice and handle this ... by giving instructions to the person, instead of the computer.
Similarly there are many sites that allow you to log in using `your password` or `your password`.swapcase() (for example, Password123 or pASSWORD123). Automatically trying a variant only costs a single bit of entropy and can greatly reduce login issues
So many sites require "at least one uppercase letter" and a "special character" and people use the same password for everything.<p>I wonder how many passwords have the first letter uppercase because that's easy to remember.<p>And then a trailing "!" because it's the first one you see.<p>Not that I would ever do that.
This doesn't bother me that much, but what really grinds my gears is how many sites won't let you log in with the correct username and password. I don't care enough about the account to want to set up 2FA, and I'd rather preserve a bit more privacy by not sharing my real phone number or another email address. Some sites seem to insist, and I think it's more about advertising and anti-spam than actual security.<p>Yahoo seems to be big on this these days. I had an old Yahoo account that I don't use much, but every time I try to log in, they seem to change around exactly what pseudo-2FA they want. Now they won't even let me try to type my password. Good grief, guess I'll just write off that account.
This doesn’t seem particularly alarming. Googles account security is above and beyond the rest of the web right now. I doubt a single attack has been made realistic by this feature.
As an ex-Googler in the Information Security Engineering team who has looked at our implementation of password authentication, I confirm this is a feature, not a bug. (Some old mobile devices auto-capitalize of the first character typed in a text field.) That said, I can't remember of the top of my head if we just ignored the case altogether or if the logic was more restrictive (eg. if first char is uppercase, also allow its lowercase version.) Last time I looked at the code was 6 years ago.<p>Pretty sure this is a detail documented somewhere public-facing
For a very long time, Chase bank public websites only accepted the first 8 characters of your password. Anything else was silently dropped. If you used Chase for any loans, credit cards, or banking, you were forced to change your password around 2016ish, this is when they finally resolved this problem. Why? Mainframes.<p>Bank of America, internally, required you to have two passwords, a Windows and a UNIX password. The UNIX password was only 8 characters due to , you guessed it, mainframes. I don't know if this was ever resolved.
I was briefly an intern in a company in which the only part of the password that was checked were the first four characters. I don'y know whether it was due to using PIN numbers in the past or they just wanted people to feel safe but not call IT constantly about the account not working...
I wonder whether they're still doing that...
It's because early mobile keyboards would default to automatically capitalize the first character at the start of an input, and apparently did this behavior to password fields as well. Facebook has also had this password behavior for at least 10 years.
This reminds me of an intern project in my friends company where they stored all hashes a few hamming distance from the password, so even with typos you would get logged in.<p>Iirc it had a cool demo, but was never used in production.
I have recieved a few notifications of login attempts from Windows 8 phones. I wonder if there is other security allowances for these devices making them the ideal platform for launching attacks.<p>PS. You can see this for yourself, just leave a negative review for Staples Canada on google and your account will be attacked from somewhere inside Vietnam via windows phone.
Ever call Fidelity phone support and hear "enter your password on the keypad"? That means collapsing ~62 chars into 10 char options, a massive space reduction.<p>Then there's the fact that many banking sites (BofA, IIRC) only used the first 8 char of your password anyway.
This has been like this for at least a couple years now. Struck me as bit odd in the beginning but it doesn't really improve the chances of brute forcing too much (which is hard on Google login anyways). And potentially saves so much time and server resources
That's a nice feature.<p>It got me thinking - imagine wanting to let users log in with a single character typo in their password, could you do this without storing hashes of all edit distance 1 passwords?
When the login page helps you brute force your own account...<p>What if.. in the RARE case, a hacker guessed wrong, but was helped by google to get into your account?
doesn't that mean they are storing plain text/reversible encrypted passwords?
I have gmail and facebook accounts way before mobile was invented, if they've added that feature for mobile imho it means password was stored in plain text or with 2 way encryption