If you think the only correct version of your password is the exact capitalization and letter/symbol sequence you use, you may be in a shock. Facebook will accept slight variations of your password, for your convenience. And it’s perfectly safe.
Passwords Are Easy To Mistype
Facebook and other sites like it have a problem. They’d like you to use long and complicated passwords, but those are hard to type. You should be using a password manager to take care of that for you, but most people don’t. And because of those two factors, it’s common to mistype your password.
At that point what should Facebook do?
Should they deny you entry just because your password was slightly off, and frustrate you with a second attempt? Or should they recognize that the provided password was likely correct but with a typo and smooth your journey to cat gifs and baby pictures by ignoring the mistake?
Facebook Evaluates Mistakes in Passwords
As Alec Muffet, a former software engineer for the security infrastructure team at Facebook Engineering in London explains, Facebook chose the latter. If your password is very close to correct, they may count it as accurate. The rules for this are straightforward. Facebook will accept an incorrect password if it meets any of these conditions:
- You have caps lock turned on, and the capitalizations are reversed.
- You enter an extra character at the beginning or end of a password
- The first character of the password should be lowercase, but you typed it capitalized
As you can see, these variations are all centered around the basic concept of slightly missing your password when typing. In some cases, this may be an issue of autocorrect, like the first letter of a word being capitalized. If your mistyped password meets these specific rules, you won’t know there was a problem—you’ll just find yourself logged in.
For example, let’s say your password is “letMeIn.” Facebook will also accept “LETmEiN” (because that’s a straight-up caps lock reversal) and “LetMeIn” (because that’s incorrect capital for the first letter). It will also accept variations like “1letMeIn” and “letMeIn2” because those are correct except for an additional character at the beginning or end. However, it won’t accept “LETMEIN”, “letmein”, or “12LetMeIn” at all.
This Process is Still Secure
At first blush, Facebook’s password lenience sounds insecure. But in this case, the truth is more complicated. While it’s easy to think of old hacker crime dramas that showed quick brute force guessing at a password in mere minutes, hacking doesn’t work that way at all. Brute forcing unknown passwords does exist, but it’s very different than TV implies. As xkcd famously demonstrates, as the length of a password increases, the time to crack it also increases exponentially. Adding complexity helps, but not as much as you might think.
