I don’t know why this is happening, but I can log in to my Facebook account even if I add just one random character either at the beginning or at the end of my password. For instance, I can log in if I type 1MYPASSWORD or MYPASSWORD1, where 1 is the additional random character I added.<p>This doesn’t happen when the cache and cookies are cleared (I get the classic wrong password error message).<p>Is this something to worry about? Does this happen to you as well?
FB been doing this for years: <a href="https://security.stackexchange.com/questions/214814/why-can-i-log-in-to-my-facebook-account-with-a-misspelled-email-password" rel="nofollow noreferrer">https://security.stackexchange.com/questions/214814/why-can-...</a><p>Hashing multiple variations of your password every time you login will burn a couple of bits of entropy, but realistically if you're not using randomly generated passwords stored in a password manager you never had much security to begin with. They're just automating something that humans do manually
Security is all about risks. Most companies aren’t at the scale of Facebook so the much rely on simple heuristics.<p>Facebook likely has enough ancillary data to not really even need your password. They’ve seen a bunch of prior usage from a device identical to your current one. Your IP matches known Ip for your session. There’s some cookie on your system that’s associated with you. Perhaps, even Facebook knows the handful of people that ever share WiFi with you.<p>Essentially, they already know who you are, so they’re willing to take anything that’s close to a known password.
FB think you should be able to login even if you made a silly typo in your password. Historically, they let you log in even if you unknowingly had caps lock on, or had the first character wrongly capitalised.<p>Maybe they’re stricter on this sort of thing if they think you haven’t signed in from the machine you’re on before. (Would explain the cookie thing.)