dumb-password-rules icon indicating copy to clipboard operation
dumb-password-rules copied to clipboard

Published 20 hours ago verified publisher icon duffn

Facebook bizarre password "bypasses"

Open ghost opened this issue 5 years ago • 3 comments

Facebook passwords do not have to be exactly correctly and can be slightly bypassed if you are close enough. This greatly reduces the entropy of passwords in certain cases (especially short ones).

It seems that:

  • they are case insensitive almost all of the time
  • adding an extra character to your password will still result in the password being accepted
  • the username/email can be up to 3 characters off and still be accepted
  • unknown other conditions

Facebook does employ a trust engine to allegedly require stricter checking from suspicious logins, but even if you set your VPN to say Malaysia / change your user-agent to something random it almost never goes off.

My understanding is this is designed to facilitate convenient/faster logins for users...

NOTE: anyone can take this issue and run with it, but if not I'll just put in a pull request in a few days

ghost avatar Sep 06 '19 12:09 ghost

Wow, would love to see examples of this.

adding an extra character to your password will still result in the password being accepted the username/email can be up to 3 characters off and still be accepted

duffn avatar Sep 06 '19 13:09 duffn

I would have added a screenshot for this crazy one but there is not much to screenshot / not very “photogenic” of an issue.

That being said if you google some of the examples I wrote down you’ll find ppl complaining about this from years and years ago on Reddit, stack overflow, etc. That the only reason I found out about it / bothered to test to see if it was true.

On Fri, Sep 6, 2019 at 6:22 AM Nicholas Duffy [email protected] wrote:

Wow, would love to see example of this.

adding an extra character to your password will still result in the password being accepted the username/email can be up to 3 characters off and still be accepted

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/dumb-password-rules/dumb-password-rules/issues/161?email_source=notifications&email_token=AAZTUETF567PRPV266DLFCTQIJKSDA5CNFSM4IUINHLKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6C2MLQ#issuecomment-528852526, or mute the thread https://github.com/notifications/unsubscribe-auth/AAZTUEXGE6A3HJVOMG2K4JDQIJKSDANCNFSM4IUINHLA .

ghost avatar Sep 06 '19 13:09 ghost

Just came across this issue and thought I’d add some context if anyone is interested. This was briefly discussed in a talk from a now ex-Facebook employee: https://youtu.be/7dPRFoKteIU. (Jump to the 16 minute mark).

tmthrgd avatar Feb 17 '23 00:02 tmthrgd