Can somebody with a FB account verify this?
The implications of this are staggering.
Facebook automatically weakens your passwords?
@0x56 It reads like a hoax as I cannot see how that would work. I can only log on with my password exactly correct.
@Mandypar - ok, good thanks... I'm getting mixed messages. I've been hearing outside coso that fully cap'd passwords *are* working
@0x56 I'm in the crowd where all upper case worked. I'm quite horrified. I will try the extra character scenarios now as well.
@0x56 adding a character, lower case x in my test, to either the beginning or end of my otherwise correct password DID work. OMFreakingG!
Adding two x's failed
@0x56 my tests were done on a Win10 laptop and Chrome browser
@Urbankidx4 - TBH, all the "hashing" should be done server side, so I would hope client wouldn't matter.
@0x56 agreed. Just trying to be thorough.
@Urbankidx4 - fair - you're in QA aren't you? 😉
@0x56 no. Just been bit by my own flawed investigations a few times. 😏
Am wondering why you have some folks saying it didn't work for them.
And I'm still in shock about the whole thing. Crazy way to start the day.
@estherschindler @0x56 Well, that was interesting. FB balks at all caps, But it did take my password with an extra character at the end. I'm off to chat with FB security.
@sjvn @estherschindler - that will be an interesting read.
@0x56 @estherschindler I'm very interested to see what they'll have to say for themselves. So far, nada.
@0x56 holly cow 😬
@0x56 I got a suggestion this morning to try my tests again from a device and IP address I have never used before for a FB login. Will try that this evening and report back.
@Urbankidx4 - ooo, nice thought.
@0x56 well....the plot thickens.
Using a different laptop, on a different network I did these tests in this order:
1) valid pwd prefaced with extra char=fail
2) valid pwd chars but all upper case=fail
3) valid pwd with extra char appended to end= success
Now...
All upper case continues to fail every time
Prefaced extra char sporadically works
Appended extra char always works.
I'm out of time now to test more now but will see what I can do later.
@Urbankidx4 - you're putting a lot of effort into this!
@0x56 I'm about to start cursing you for ever bringing it up. 😎
A classic rabbit hole that will undoubtedly keep me from doing something more important before I let it go.
^^ for the record. This *is* bad unless they came up with their own hashing algorithm. (and if that's the case, why not open the algorithm up to see if it passes muster).
Or they could be storing passwords rather than 1-way hashing them (encrypted or not, this is bad)
Or they could be doing several comparisons. This opens the door to timing attacks.