Why can I log in to my facebook account with misspelled email/passwordDoes correcting misspelled usernames create a security risk?Password on login ideaIs this login flow via an authenticated email account safe?How to suspend a silent oberserver from Facebook account?Do you need to restrict the possible characters of a username?Does correcting misspelled usernames create a security risk?Copying the email address to a forgotten password pageStrange messages from Gmail regarding my recovery email address changingI have continued access of my Facebook account from a particular iPad/IP Address - how do I stop it?Logged out of Facebook on all devices on a sudden. Should I be worried about being hacked?Windows 10 seems to load session before user log in, is it safe?

Getting matrices labels

What is the corner house number?

Whats the difference between <processors> and <pipelines> in Sitecore configuration?

The meaning of "scale" in "because diversions scale so easily wealth becomes concentrated"

Our group keeps dying during the Lost Mine of Phandelver campaign. What are we doing wrong?

Find a text string in a file and output only the rest of the text that follows it?

Why is Chromosome 1 called Chromosome 1?

What is the probability of a biased coin coming up heads given that a liar is claiming that the coin came up heads?

split large formula in align

Why is the Vasa Museum in Stockholm so Popular?

What could prevent players from leaving an island?

Why is power of a hypothesis test a concern when we can bootstrap any representative sample to make n approach infinity?

Pronouns when writing from the point of view of a robot

Non-small objects in categories

Why does putting a dot after the URL remove login information?

Getting an entry level IT position later in life

Make a living as a math programming freelancer?

Is there a way to say "double + any number" in German?

Why does capacitance not depend on the material of the plates?

Does the spell "Silence" affect the caster?

How to touch up scratches on a black anodized aluminum flashlight?

How do I get the =LEFT function in excel, to also take the number zero as the first number?

Why am I not getting stuck in the loop

Is the first page of a novel really that important?



Why can I log in to my facebook account with misspelled email/password


Does correcting misspelled usernames create a security risk?Password on login ideaIs this login flow via an authenticated email account safe?How to suspend a silent oberserver from Facebook account?Do you need to restrict the possible characters of a username?Does correcting misspelled usernames create a security risk?Copying the email address to a forgotten password pageStrange messages from Gmail regarding my recovery email address changingI have continued access of my Facebook account from a particular iPad/IP Address - how do I stop it?Logged out of Facebook on all devices on a sudden. Should I be worried about being hacked?Windows 10 seems to load session before user log in, is it safe?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








15















I've been playing around different login forms online lately to see how they work. One of them was facebook login form. When I logged out of my account my email and password were autocompleted by my browser, then I decided to misspell my email and see what would happen if try to login.



To my surprise I logged in with no problem after changing my email from example@gmail.com to example@gmail.comm, I then started experimenting with different misspelling errors and I had no problem logging in as long as it was not too far off my real email. I tried with changing domain name as well example@gmadil.coom, my email prefix ezfxample@gmail.com etc.



Then I also tried misspelling my password and as long as it was not too far off my real password I can log in no problem (with password it worked when adding one random letter before or after the real password, not when adding letter in the middle of it).



I also checked actual data send in request by looking at it in chrome dev tools and in fact it was the wrong data sent.



How can this be? Should I be worried about my accounts security?










share|improve this question


























  • If true (and it's a big enough claim that I'm going to want to verify it independently), then yes, everyone should be worried about account security, as it means passwords are stored in a reversible form.

    – Ghedipunk
    9 hours ago











  • @Ghedipunk to be more precise, it worked with a single random letter added before, and after the real password. Adding a random letter in the middle didn't allow me to log in.

    – aMJay
    9 hours ago











  • I can confirm this too. Someone else please try

    – shobhonk
    9 hours ago











  • That's an important distinction, with the random letter being before or after (and thanks for editing the question with that clarification as well; it helps)... That can be checked without storing it in a reversible form. With them allowing a bit of a fudge factor like that, it's time for me to generate an even longer password, though... ;-)

    – Ghedipunk
    9 hours ago












  • It just decreased the entropy by a few bits.

    – Peter A. Schneider
    31 mins ago


















15















I've been playing around different login forms online lately to see how they work. One of them was facebook login form. When I logged out of my account my email and password were autocompleted by my browser, then I decided to misspell my email and see what would happen if try to login.



To my surprise I logged in with no problem after changing my email from example@gmail.com to example@gmail.comm, I then started experimenting with different misspelling errors and I had no problem logging in as long as it was not too far off my real email. I tried with changing domain name as well example@gmadil.coom, my email prefix ezfxample@gmail.com etc.



Then I also tried misspelling my password and as long as it was not too far off my real password I can log in no problem (with password it worked when adding one random letter before or after the real password, not when adding letter in the middle of it).



I also checked actual data send in request by looking at it in chrome dev tools and in fact it was the wrong data sent.



How can this be? Should I be worried about my accounts security?










share|improve this question


























  • If true (and it's a big enough claim that I'm going to want to verify it independently), then yes, everyone should be worried about account security, as it means passwords are stored in a reversible form.

    – Ghedipunk
    9 hours ago











  • @Ghedipunk to be more precise, it worked with a single random letter added before, and after the real password. Adding a random letter in the middle didn't allow me to log in.

    – aMJay
    9 hours ago











  • I can confirm this too. Someone else please try

    – shobhonk
    9 hours ago











  • That's an important distinction, with the random letter being before or after (and thanks for editing the question with that clarification as well; it helps)... That can be checked without storing it in a reversible form. With them allowing a bit of a fudge factor like that, it's time for me to generate an even longer password, though... ;-)

    – Ghedipunk
    9 hours ago












  • It just decreased the entropy by a few bits.

    – Peter A. Schneider
    31 mins ago














15












15








15


2






I've been playing around different login forms online lately to see how they work. One of them was facebook login form. When I logged out of my account my email and password were autocompleted by my browser, then I decided to misspell my email and see what would happen if try to login.



To my surprise I logged in with no problem after changing my email from example@gmail.com to example@gmail.comm, I then started experimenting with different misspelling errors and I had no problem logging in as long as it was not too far off my real email. I tried with changing domain name as well example@gmadil.coom, my email prefix ezfxample@gmail.com etc.



Then I also tried misspelling my password and as long as it was not too far off my real password I can log in no problem (with password it worked when adding one random letter before or after the real password, not when adding letter in the middle of it).



I also checked actual data send in request by looking at it in chrome dev tools and in fact it was the wrong data sent.



How can this be? Should I be worried about my accounts security?










share|improve this question
















I've been playing around different login forms online lately to see how they work. One of them was facebook login form. When I logged out of my account my email and password were autocompleted by my browser, then I decided to misspell my email and see what would happen if try to login.



To my surprise I logged in with no problem after changing my email from example@gmail.com to example@gmail.comm, I then started experimenting with different misspelling errors and I had no problem logging in as long as it was not too far off my real email. I tried with changing domain name as well example@gmadil.coom, my email prefix ezfxample@gmail.com etc.



Then I also tried misspelling my password and as long as it was not too far off my real password I can log in no problem (with password it worked when adding one random letter before or after the real password, not when adding letter in the middle of it).



I also checked actual data send in request by looking at it in chrome dev tools and in fact it was the wrong data sent.



How can this be? Should I be worried about my accounts security?







authentication facebook






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 9 hours ago







aMJay

















asked 9 hours ago









aMJayaMJay

6931 gold badge5 silver badges13 bronze badges




6931 gold badge5 silver badges13 bronze badges















  • If true (and it's a big enough claim that I'm going to want to verify it independently), then yes, everyone should be worried about account security, as it means passwords are stored in a reversible form.

    – Ghedipunk
    9 hours ago











  • @Ghedipunk to be more precise, it worked with a single random letter added before, and after the real password. Adding a random letter in the middle didn't allow me to log in.

    – aMJay
    9 hours ago











  • I can confirm this too. Someone else please try

    – shobhonk
    9 hours ago











  • That's an important distinction, with the random letter being before or after (and thanks for editing the question with that clarification as well; it helps)... That can be checked without storing it in a reversible form. With them allowing a bit of a fudge factor like that, it's time for me to generate an even longer password, though... ;-)

    – Ghedipunk
    9 hours ago












  • It just decreased the entropy by a few bits.

    – Peter A. Schneider
    31 mins ago


















  • If true (and it's a big enough claim that I'm going to want to verify it independently), then yes, everyone should be worried about account security, as it means passwords are stored in a reversible form.

    – Ghedipunk
    9 hours ago











  • @Ghedipunk to be more precise, it worked with a single random letter added before, and after the real password. Adding a random letter in the middle didn't allow me to log in.

    – aMJay
    9 hours ago











  • I can confirm this too. Someone else please try

    – shobhonk
    9 hours ago











  • That's an important distinction, with the random letter being before or after (and thanks for editing the question with that clarification as well; it helps)... That can be checked without storing it in a reversible form. With them allowing a bit of a fudge factor like that, it's time for me to generate an even longer password, though... ;-)

    – Ghedipunk
    9 hours ago












  • It just decreased the entropy by a few bits.

    – Peter A. Schneider
    31 mins ago

















If true (and it's a big enough claim that I'm going to want to verify it independently), then yes, everyone should be worried about account security, as it means passwords are stored in a reversible form.

– Ghedipunk
9 hours ago





If true (and it's a big enough claim that I'm going to want to verify it independently), then yes, everyone should be worried about account security, as it means passwords are stored in a reversible form.

– Ghedipunk
9 hours ago













@Ghedipunk to be more precise, it worked with a single random letter added before, and after the real password. Adding a random letter in the middle didn't allow me to log in.

– aMJay
9 hours ago





@Ghedipunk to be more precise, it worked with a single random letter added before, and after the real password. Adding a random letter in the middle didn't allow me to log in.

– aMJay
9 hours ago













I can confirm this too. Someone else please try

– shobhonk
9 hours ago





I can confirm this too. Someone else please try

– shobhonk
9 hours ago













That's an important distinction, with the random letter being before or after (and thanks for editing the question with that clarification as well; it helps)... That can be checked without storing it in a reversible form. With them allowing a bit of a fudge factor like that, it's time for me to generate an even longer password, though... ;-)

– Ghedipunk
9 hours ago






That's an important distinction, with the random letter being before or after (and thanks for editing the question with that clarification as well; it helps)... That can be checked without storing it in a reversible form. With them allowing a bit of a fudge factor like that, it's time for me to generate an even longer password, though... ;-)

– Ghedipunk
9 hours ago














It just decreased the entropy by a few bits.

– Peter A. Schneider
31 mins ago






It just decreased the entropy by a few bits.

– Peter A. Schneider
31 mins ago











2 Answers
2






active

oldest

votes


















21














Facebook is allowing you to make a handful of mistakes to ease the login process. A Facebook engineer explained the process at a conference. The gist of it is that Facebook will try various permutations of the input you submitted and see if they match the hash they have in their databae



For example, if your password is "myRealPassword!" but you submit "MYrEALpASSWORD!" (capslock on, shift inverting capslock). The submitted password obviously doesn't match what they have stored. Rather than reject you flat out, Facebook tries to up the user experience by trying to "correct" a few common mistakes such as inserting a random character before or after, capitalizing (or not) the first character, or mistakenly using capslock. Facebook applies these filters one by one and checks the newly "corrected" password against what they have hashed in their database. If one of the permutations matches, Facebook assumes you simply made a small mistake and authorizes your session.



While worrying at first glance, this is actually still perfectly secure for a few reasons. First and foremost, Facebook is able to do this without storing the password in plaintext because they are transforming your provided (and untrusted) input from the form field and checking if it matches. Secondly, this isn't very helpful for someone trying to bruteforce the password because online attacks are nigh impossible thanks to ratelimiting and captchas. Finally, the odds of an attacker/evil spouse knowing the text of your password and not the capitalization are abysmally small and so the risk created as a result of this feature is equally small.



Should you be worried? No, probably not.



Further reading: https://www.howtogeek.com/402761/facebook-fudges-your-password-for-your-convenience/






share|improve this answer
































    8














    It is long know that Facebook allows you on purpose to log in with the password case reversed or the first character capitalized (see this article). They do this by storing the different hashes of the password. Are you seeing that more differences are allowed?



    Apparently, they also have some similar usability features for the email address.
    Automatically "correcting" gmail.comm to gmail.com is actually harmless, since there's (currently) no comm tld, so nobody would actually have a valid gmail.comm email address. I am however surprised that they would allow gmadil.com (currently for sale) or a different username, as that could be someone else's email address.



    They might have decided that usability is of utter importance and, if there is a log in attempt for an email address for which there is not an account, automatically attempt the log in with the most similar username, but -while not completely bad- it doesn't seem a good approach, as someone else could sign up tomorrow with the ezfxample@gmail.com email and, although unlikely, also use Password123 as password, then what?



    Update: This had been tested a few years back by Lukas on Does correcting misspelled usernames create a security risk? and apparently logging in with a misspelled email address only works when you have not deleted Facebook cookies from your earlier session. Thus, it only autocorrects your email address when it knows that you used to log in as example@gmail.com, and otherwise fails.



    Note: AndyGrayland had suggested earlier that the cookies could be playing a part of this, but it is now in a deleted answer.






    share|improve this answer





























      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "162"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













      draft saved

      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f214814%2fwhy-can-i-log-in-to-my-facebook-account-with-misspelled-email-password%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      21














      Facebook is allowing you to make a handful of mistakes to ease the login process. A Facebook engineer explained the process at a conference. The gist of it is that Facebook will try various permutations of the input you submitted and see if they match the hash they have in their databae



      For example, if your password is "myRealPassword!" but you submit "MYrEALpASSWORD!" (capslock on, shift inverting capslock). The submitted password obviously doesn't match what they have stored. Rather than reject you flat out, Facebook tries to up the user experience by trying to "correct" a few common mistakes such as inserting a random character before or after, capitalizing (or not) the first character, or mistakenly using capslock. Facebook applies these filters one by one and checks the newly "corrected" password against what they have hashed in their database. If one of the permutations matches, Facebook assumes you simply made a small mistake and authorizes your session.



      While worrying at first glance, this is actually still perfectly secure for a few reasons. First and foremost, Facebook is able to do this without storing the password in plaintext because they are transforming your provided (and untrusted) input from the form field and checking if it matches. Secondly, this isn't very helpful for someone trying to bruteforce the password because online attacks are nigh impossible thanks to ratelimiting and captchas. Finally, the odds of an attacker/evil spouse knowing the text of your password and not the capitalization are abysmally small and so the risk created as a result of this feature is equally small.



      Should you be worried? No, probably not.



      Further reading: https://www.howtogeek.com/402761/facebook-fudges-your-password-for-your-convenience/






      share|improve this answer





























        21














        Facebook is allowing you to make a handful of mistakes to ease the login process. A Facebook engineer explained the process at a conference. The gist of it is that Facebook will try various permutations of the input you submitted and see if they match the hash they have in their databae



        For example, if your password is "myRealPassword!" but you submit "MYrEALpASSWORD!" (capslock on, shift inverting capslock). The submitted password obviously doesn't match what they have stored. Rather than reject you flat out, Facebook tries to up the user experience by trying to "correct" a few common mistakes such as inserting a random character before or after, capitalizing (or not) the first character, or mistakenly using capslock. Facebook applies these filters one by one and checks the newly "corrected" password against what they have hashed in their database. If one of the permutations matches, Facebook assumes you simply made a small mistake and authorizes your session.



        While worrying at first glance, this is actually still perfectly secure for a few reasons. First and foremost, Facebook is able to do this without storing the password in plaintext because they are transforming your provided (and untrusted) input from the form field and checking if it matches. Secondly, this isn't very helpful for someone trying to bruteforce the password because online attacks are nigh impossible thanks to ratelimiting and captchas. Finally, the odds of an attacker/evil spouse knowing the text of your password and not the capitalization are abysmally small and so the risk created as a result of this feature is equally small.



        Should you be worried? No, probably not.



        Further reading: https://www.howtogeek.com/402761/facebook-fudges-your-password-for-your-convenience/






        share|improve this answer



























          21












          21








          21







          Facebook is allowing you to make a handful of mistakes to ease the login process. A Facebook engineer explained the process at a conference. The gist of it is that Facebook will try various permutations of the input you submitted and see if they match the hash they have in their databae



          For example, if your password is "myRealPassword!" but you submit "MYrEALpASSWORD!" (capslock on, shift inverting capslock). The submitted password obviously doesn't match what they have stored. Rather than reject you flat out, Facebook tries to up the user experience by trying to "correct" a few common mistakes such as inserting a random character before or after, capitalizing (or not) the first character, or mistakenly using capslock. Facebook applies these filters one by one and checks the newly "corrected" password against what they have hashed in their database. If one of the permutations matches, Facebook assumes you simply made a small mistake and authorizes your session.



          While worrying at first glance, this is actually still perfectly secure for a few reasons. First and foremost, Facebook is able to do this without storing the password in plaintext because they are transforming your provided (and untrusted) input from the form field and checking if it matches. Secondly, this isn't very helpful for someone trying to bruteforce the password because online attacks are nigh impossible thanks to ratelimiting and captchas. Finally, the odds of an attacker/evil spouse knowing the text of your password and not the capitalization are abysmally small and so the risk created as a result of this feature is equally small.



          Should you be worried? No, probably not.



          Further reading: https://www.howtogeek.com/402761/facebook-fudges-your-password-for-your-convenience/






          share|improve this answer













          Facebook is allowing you to make a handful of mistakes to ease the login process. A Facebook engineer explained the process at a conference. The gist of it is that Facebook will try various permutations of the input you submitted and see if they match the hash they have in their databae



          For example, if your password is "myRealPassword!" but you submit "MYrEALpASSWORD!" (capslock on, shift inverting capslock). The submitted password obviously doesn't match what they have stored. Rather than reject you flat out, Facebook tries to up the user experience by trying to "correct" a few common mistakes such as inserting a random character before or after, capitalizing (or not) the first character, or mistakenly using capslock. Facebook applies these filters one by one and checks the newly "corrected" password against what they have hashed in their database. If one of the permutations matches, Facebook assumes you simply made a small mistake and authorizes your session.



          While worrying at first glance, this is actually still perfectly secure for a few reasons. First and foremost, Facebook is able to do this without storing the password in plaintext because they are transforming your provided (and untrusted) input from the form field and checking if it matches. Secondly, this isn't very helpful for someone trying to bruteforce the password because online attacks are nigh impossible thanks to ratelimiting and captchas. Finally, the odds of an attacker/evil spouse knowing the text of your password and not the capitalization are abysmally small and so the risk created as a result of this feature is equally small.



          Should you be worried? No, probably not.



          Further reading: https://www.howtogeek.com/402761/facebook-fudges-your-password-for-your-convenience/







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 9 hours ago









          SirensSirens

          1,2224 silver badges17 bronze badges




          1,2224 silver badges17 bronze badges


























              8














              It is long know that Facebook allows you on purpose to log in with the password case reversed or the first character capitalized (see this article). They do this by storing the different hashes of the password. Are you seeing that more differences are allowed?



              Apparently, they also have some similar usability features for the email address.
              Automatically "correcting" gmail.comm to gmail.com is actually harmless, since there's (currently) no comm tld, so nobody would actually have a valid gmail.comm email address. I am however surprised that they would allow gmadil.com (currently for sale) or a different username, as that could be someone else's email address.



              They might have decided that usability is of utter importance and, if there is a log in attempt for an email address for which there is not an account, automatically attempt the log in with the most similar username, but -while not completely bad- it doesn't seem a good approach, as someone else could sign up tomorrow with the ezfxample@gmail.com email and, although unlikely, also use Password123 as password, then what?



              Update: This had been tested a few years back by Lukas on Does correcting misspelled usernames create a security risk? and apparently logging in with a misspelled email address only works when you have not deleted Facebook cookies from your earlier session. Thus, it only autocorrects your email address when it knows that you used to log in as example@gmail.com, and otherwise fails.



              Note: AndyGrayland had suggested earlier that the cookies could be playing a part of this, but it is now in a deleted answer.






              share|improve this answer































                8














                It is long know that Facebook allows you on purpose to log in with the password case reversed or the first character capitalized (see this article). They do this by storing the different hashes of the password. Are you seeing that more differences are allowed?



                Apparently, they also have some similar usability features for the email address.
                Automatically "correcting" gmail.comm to gmail.com is actually harmless, since there's (currently) no comm tld, so nobody would actually have a valid gmail.comm email address. I am however surprised that they would allow gmadil.com (currently for sale) or a different username, as that could be someone else's email address.



                They might have decided that usability is of utter importance and, if there is a log in attempt for an email address for which there is not an account, automatically attempt the log in with the most similar username, but -while not completely bad- it doesn't seem a good approach, as someone else could sign up tomorrow with the ezfxample@gmail.com email and, although unlikely, also use Password123 as password, then what?



                Update: This had been tested a few years back by Lukas on Does correcting misspelled usernames create a security risk? and apparently logging in with a misspelled email address only works when you have not deleted Facebook cookies from your earlier session. Thus, it only autocorrects your email address when it knows that you used to log in as example@gmail.com, and otherwise fails.



                Note: AndyGrayland had suggested earlier that the cookies could be playing a part of this, but it is now in a deleted answer.






                share|improve this answer





























                  8












                  8








                  8







                  It is long know that Facebook allows you on purpose to log in with the password case reversed or the first character capitalized (see this article). They do this by storing the different hashes of the password. Are you seeing that more differences are allowed?



                  Apparently, they also have some similar usability features for the email address.
                  Automatically "correcting" gmail.comm to gmail.com is actually harmless, since there's (currently) no comm tld, so nobody would actually have a valid gmail.comm email address. I am however surprised that they would allow gmadil.com (currently for sale) or a different username, as that could be someone else's email address.



                  They might have decided that usability is of utter importance and, if there is a log in attempt for an email address for which there is not an account, automatically attempt the log in with the most similar username, but -while not completely bad- it doesn't seem a good approach, as someone else could sign up tomorrow with the ezfxample@gmail.com email and, although unlikely, also use Password123 as password, then what?



                  Update: This had been tested a few years back by Lukas on Does correcting misspelled usernames create a security risk? and apparently logging in with a misspelled email address only works when you have not deleted Facebook cookies from your earlier session. Thus, it only autocorrects your email address when it knows that you used to log in as example@gmail.com, and otherwise fails.



                  Note: AndyGrayland had suggested earlier that the cookies could be playing a part of this, but it is now in a deleted answer.






                  share|improve this answer















                  It is long know that Facebook allows you on purpose to log in with the password case reversed or the first character capitalized (see this article). They do this by storing the different hashes of the password. Are you seeing that more differences are allowed?



                  Apparently, they also have some similar usability features for the email address.
                  Automatically "correcting" gmail.comm to gmail.com is actually harmless, since there's (currently) no comm tld, so nobody would actually have a valid gmail.comm email address. I am however surprised that they would allow gmadil.com (currently for sale) or a different username, as that could be someone else's email address.



                  They might have decided that usability is of utter importance and, if there is a log in attempt for an email address for which there is not an account, automatically attempt the log in with the most similar username, but -while not completely bad- it doesn't seem a good approach, as someone else could sign up tomorrow with the ezfxample@gmail.com email and, although unlikely, also use Password123 as password, then what?



                  Update: This had been tested a few years back by Lukas on Does correcting misspelled usernames create a security risk? and apparently logging in with a misspelled email address only works when you have not deleted Facebook cookies from your earlier session. Thus, it only autocorrects your email address when it knows that you used to log in as example@gmail.com, and otherwise fails.



                  Note: AndyGrayland had suggested earlier that the cookies could be playing a part of this, but it is now in a deleted answer.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited 9 hours ago

























                  answered 9 hours ago









                  ÁngelÁngel

                  10.3k2 gold badges15 silver badges41 bronze badges




                  10.3k2 gold badges15 silver badges41 bronze badges






























                      draft saved

                      draft discarded
















































                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f214814%2fwhy-can-i-log-in-to-my-facebook-account-with-misspelled-email-password%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

                      Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

                      199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單