Enterprise Communications

Security and Convenience are mutually exclusive, unless you are Facebook identity management

by Rufus Connell 16 Sep 2011
Share this:

ZDnet recently wrote a good article about how Facebook passwords aren't entirely case sensitive.  In a nutshell Facebook identified that sometimes users accidentally activate their caps lock before typing a password.  Facebook recognized that since passwords are obfuscated on the screen that the user doesn't know the caps lock is on and their password gets rejected.  Now, Facebook doesn't want to frustrate uses so they decided if a users types in a password where every character is reverse capitalized, but the characters are correct, that it will accept the password. 

Facebook also recognizes that some mobile devices "help" the user by capitalizing the first letter of a sentence so those devices sometimes automatically capitalize a lower case letter at the start of the password

Short story, you have at least two valid, maybe three passwords for Facebook.

From a security perspective, this means that a brute force attack will break the password somewhat faster.  Practically the password security strength hasn't changed.  Facebook has other technologies to help identify fraudlent login attempts that backup the username and password so today Facebook users can be pretty confident in their security as long as they follow password best practices.

What are the long term implications?

Obviously facebook wants to avoid inconveniencing users by resetting passswords.  Facebook as identified at least two instances where the password system issues a false negative.  How many other potential issues are there?

Good passwords have upper and lower case letters, alpanumeric symbols and are at least 8 digits long, or waaaaaay longer if you've read this.  Facebook is my friend and has realized that I access my account from my mobile device so Facebook is already helping me out by ignoring an accidentally captialized 1st letter.  What's next?  On my blackberry the number keys are activated by an alt button.  Is Facebook going to start accepting the letter "w" instead of 1? What if I fat finger the shift key instead of Alt or the "sym" key instead of shift?  What about Alt instead of shift?  The combinations and permutations of accepted passwords jumps from three to many dozens. What other plausible errors can users make?. 

Facebook has really embarked on a slippery slope.  I want good security to be as easy to use as possible and eliminating false negatives is a noble goal.  That said, Facebook is becoming way more than a nice way to share pictures.  Facebook is seeing good traction with its Facebook Authentication service.  It is pretty critical that companies that take advantage of Facebook's federated identity service realize that Facebook has made what (in security circles) is considered to be a strange decision to reduce the strenth of all its users passwords.



Login or register to make a comment on this blog post

Help Desk

Full list of offices

For more information and general enquiries, contact Frost & Sullivan near you.

North America
tel: +1.877.463.7678

Select a location near you..