Passwords For Your Facebook Account

Ignoring the security implications for a moment, this is a very nice UX enhancement, I do imagine that it would eliminate the vast majority of the invalid password attempts thus making people's experience much better.<p>Now, the question is, just how much security are you losing by allowing this? Assuming the passwords are stored correctly my guess would be that passwords that are considered secure already would only be marginally less secure because of this, however non secure passwords (common ones) are a hell of a lot less secure but only in a relative context, they're still just as insecure as the original insecure password.<p>I'm not sure I articulated this properly so if I didn't let me know.

I'd like to note, their assumptions on caps lock does not apply to Mac. If you hold shift while caps lock on a mac, it still gives uppercase.<p>Of course, if they implemented this, it would turn it into a case insensitive password with much bigger security implications. So, this isn't a criticism of their decision. Only an observation.

This raises several questions:<p>Have they always done this, or is this new?<p>For those of us who haven't changed our Facebook password in years, does this mean that we don't get this option, or do we? And if we do, is Facebook storing our passwords in plaintext?

There's a nice article about this on the AgileBits blog [1]. In summary they say it's a net gain for security because trying variations on a supplied password doesn't help an attack much and reducing the number of password resets is a positive from a security perspective.<p>[1] <a href="http://blog.agilebits.com/2011/09/13/facebook-and-caps-lock-unintuitive-security/" rel="nofollow">http://blog.agilebits.com/2011/09/13/facebook-and-caps-lock-...</a>

While obviously Facebook will be storing this as hash(normal), hash(upper(normal)), and hash(lower(normal)), there's an interesting security benefit to storing this in 3 columns, 'password1', 'password2' and 'password3'. The trick then is to randomise which hash gets stored in which column, i.e., password1 doesn't always correspond to hash(normal).<p>The slight benefit of this being that if your database is leaked, then the attacker won't have his/her brute forcing job made easier by knowing that the password3 hash only contains lowercase alphanumeric characters.<p>Edit: Apparently I suck at reading, it's not upper() and lower(). Woops :). Well, if any other sites do store upper() and lower() variations, I wonder if they use this idea?

You can also login with your profile name, which I didnt know until very recently when I mistakenly dropped the @domain.com and was initially surprised to find it worked.

Also, I just noticed this evening that Facebook explicitly notifies you of incorrectly using your old password. Not sure how long far back they go to check.

The question is, what IS the value of the true password? How do you define "something and its inverse?"

One interesting observation from the comments:<p>On a Mac, shift with caps-lock on doesn't toggle to lower-case, so they would need to store a fourth version for this to work.<p>OPERATI@NGERONIMO<p>Overall it's a clever UX hack, though I worry they came to it by observing invalid password attempts which seems slightly outside of appropriate, although it doesn't particularly bother me in this case.

My capslock key is backspace, so this feature is useless to me.