Why can I log in to my facebook account with misspelled email/passwordDoes correcting misspelled usernames create a security risk?Password on login ideaIs this login flow via an authenticated email account safe?How to suspend a silent oberserver from Facebook account?Do you need to restrict the possible characters of a username?Does correcting misspelled usernames create a security risk?Copying the email address to a forgotten password pageStrange messages from Gmail regarding my recovery email address changingI have continued access of my Facebook account from a particular iPad/IP Address - how do I stop it?Logged out of Facebook on all devices on a sudden. Should I be worried about being hacked?Windows 10 seems to load session before user log in, is it safe?
Getting matrices labels
What is the corner house number?
Whats the difference between <processors> and <pipelines> in Sitecore configuration?
The meaning of "scale" in "because diversions scale so easily wealth becomes concentrated"
Our group keeps dying during the Lost Mine of Phandelver campaign. What are we doing wrong?
Find a text string in a file and output only the rest of the text that follows it?
Why is Chromosome 1 called Chromosome 1?
What is the probability of a biased coin coming up heads given that a liar is claiming that the coin came up heads?
split large formula in align
Why is the Vasa Museum in Stockholm so Popular?
What could prevent players from leaving an island?
Why is power of a hypothesis test a concern when we can bootstrap any representative sample to make n approach infinity?
Pronouns when writing from the point of view of a robot
Non-small objects in categories
Why does putting a dot after the URL remove login information?
Getting an entry level IT position later in life
Make a living as a math programming freelancer?
Is there a way to say "double + any number" in German?
Why does capacitance not depend on the material of the plates?
Does the spell "Silence" affect the caster?
How to touch up scratches on a black anodized aluminum flashlight?
How do I get the =LEFT function in excel, to also take the number zero as the first number?
Why am I not getting stuck in the loop
Is the first page of a novel really that important?
Why can I log in to my facebook account with misspelled email/password
Does correcting misspelled usernames create a security risk?Password on login ideaIs this login flow via an authenticated email account safe?How to suspend a silent oberserver from Facebook account?Do you need to restrict the possible characters of a username?Does correcting misspelled usernames create a security risk?Copying the email address to a forgotten password pageStrange messages from Gmail regarding my recovery email address changingI have continued access of my Facebook account from a particular iPad/IP Address - how do I stop it?Logged out of Facebook on all devices on a sudden. Should I be worried about being hacked?Windows 10 seems to load session before user log in, is it safe?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I've been playing around different login forms online lately to see how they work. One of them was facebook login form. When I logged out of my account my email and password were autocompleted by my browser, then I decided to misspell my email and see what would happen if try to login.
To my surprise I logged in with no problem after changing my email from example@gmail.com to example@gmail.comm, I then started experimenting with different misspelling errors and I had no problem logging in as long as it was not too far off my real email. I tried with changing domain name as well example@gmadil.coom, my email prefix ezfxample@gmail.com etc.
Then I also tried misspelling my password and as long as it was not too far off my real password I can log in no problem (with password it worked when adding one random letter before or after the real password, not when adding letter in the middle of it).
I also checked actual data send in request by looking at it in chrome dev tools and in fact it was the wrong data sent.
How can this be? Should I be worried about my accounts security?
authentication facebook
asked 9 hours ago
aMJayaMJay
6931 gold badge5 silver badges13 bronze badges
add a comment |
I've been playing around different login forms online lately to see how they work. One of them was facebook login form. When I logged out of my account my email and password were autocompleted by my browser, then I decided to misspell my email and see what would happen if try to login.
To my surprise I logged in with no problem after changing my email from example@gmail.com to example@gmail.comm, I then started experimenting with different misspelling errors and I had no problem logging in as long as it was not too far off my real email. I tried with changing domain name as well example@gmadil.coom, my email prefix ezfxample@gmail.com etc.
Then I also tried misspelling my password and as long as it was not too far off my real password I can log in no problem (with password it worked when adding one random letter before or after the real password, not when adding letter in the middle of it).
I also checked actual data send in request by looking at it in chrome dev tools and in fact it was the wrong data sent.
How can this be? Should I be worried about my accounts security?
authentication facebook
asked 9 hours ago
aMJayaMJay
6931 gold badge5 silver badges13 bronze badges
If true (and it's a big enough claim that I'm going to want to verify it independently), then yes, everyone should be worried about account security, as it means passwords are stored in a reversible form.
– Ghedipunk
9 hours ago
@Ghedipunk to be more precise, it worked with a single random letter added before, and after the real password. Adding a random letter in the middle didn't allow me to log in.
– aMJay
9 hours ago
I can confirm this too. Someone else please try
– shobhonk
9 hours ago
That's an important distinction, with the random letter being before or after (and thanks for editing the question with that clarification as well; it helps)... That can be checked without storing it in a reversible form. With them allowing a bit of a fudge factor like that, it's time for me to generate an even longer password, though... ;-)
– Ghedipunk
9 hours ago
It just decreased the entropy by a few bits.
– Peter A. Schneider
31 mins ago
add a comment |
I've been playing around different login forms online lately to see how they work. One of them was facebook login form. When I logged out of my account my email and password were autocompleted by my browser, then I decided to misspell my email and see what would happen if try to login.
To my surprise I logged in with no problem after changing my email from example@gmail.com to example@gmail.comm, I then started experimenting with different misspelling errors and I had no problem logging in as long as it was not too far off my real email. I tried with changing domain name as well example@gmadil.coom, my email prefix ezfxample@gmail.com etc.
Then I also tried misspelling my password and as long as it was not too far off my real password I can log in no problem (with password it worked when adding one random letter before or after the real password, not when adding letter in the middle of it).
I also checked actual data send in request by looking at it in chrome dev tools and in fact it was the wrong data sent.
How can this be? Should I be worried about my accounts security?
authentication facebook
asked 9 hours ago
aMJayaMJay
6931 gold badge5 silver badges13 bronze badges
I've been playing around different login forms online lately to see how they work. One of them was facebook login form. When I logged out of my account my email and password were autocompleted by my browser, then I decided to misspell my email and see what would happen if try to login.
To my surprise I logged in with no problem after changing my email from example@gmail.com to example@gmail.comm, I then started experimenting with different misspelling errors and I had no problem logging in as long as it was not too far off my real email. I tried with changing domain name as well example@gmadil.coom, my email prefix ezfxample@gmail.com etc.
Then I also tried misspelling my password and as long as it was not too far off my real password I can log in no problem (with password it worked when adding one random letter before or after the real password, not when adding letter in the middle of it).
I also checked actual data send in request by looking at it in chrome dev tools and in fact it was the wrong data sent.
How can this be? Should I be worried about my accounts security?
authentication facebook
authentication facebook
asked 9 hours ago
aMJayaMJay
6931 gold badge5 silver badges13 bronze badges
asked 9 hours ago
aMJayaMJay
6931 gold badge5 silver badges13 bronze badges
edited 9 hours ago
aMJay
asked 9 hours ago
aMJayaMJay
6931 gold badge5 silver badges13 bronze badges
asked 9 hours ago
aMJayaMJay
6931 gold badge5 silver badges13 bronze badges
asked 9 hours ago
aMJayaMJay
6931 gold badge5 silver badges13 bronze badges
6931 gold badge5 silver badges13 bronze badges
If true (and it's a big enough claim that I'm going to want to verify it independently), then yes, everyone should be worried about account security, as it means passwords are stored in a reversible form.
– Ghedipunk
9 hours ago
@Ghedipunk to be more precise, it worked with a single random letter added before, and after the real password. Adding a random letter in the middle didn't allow me to log in.
– aMJay
9 hours ago
I can confirm this too. Someone else please try
– shobhonk
9 hours ago
That's an important distinction, with the random letter being before or after (and thanks for editing the question with that clarification as well; it helps)... That can be checked without storing it in a reversible form. With them allowing a bit of a fudge factor like that, it's time for me to generate an even longer password, though... ;-)
– Ghedipunk
9 hours ago
It just decreased the entropy by a few bits.
– Peter A. Schneider
31 mins ago
add a comment |
If true (and it's a big enough claim that I'm going to want to verify it independently), then yes, everyone should be worried about account security, as it means passwords are stored in a reversible form.
– Ghedipunk
9 hours ago
@Ghedipunk to be more precise, it worked with a single random letter added before, and after the real password. Adding a random letter in the middle didn't allow me to log in.
– aMJay
9 hours ago
I can confirm this too. Someone else please try
– shobhonk
9 hours ago
That's an important distinction, with the random letter being before or after (and thanks for editing the question with that clarification as well; it helps)... That can be checked without storing it in a reversible form. With them allowing a bit of a fudge factor like that, it's time for me to generate an even longer password, though... ;-)
– Ghedipunk
9 hours ago
It just decreased the entropy by a few bits.
– Peter A. Schneider
31 mins ago
If true (and it's a big enough claim that I'm going to want to verify it independently), then yes, everyone should be worried about account security, as it means passwords are stored in a reversible form.
– Ghedipunk
9 hours ago
If true (and it's a big enough claim that I'm going to want to verify it independently), then yes, everyone should be worried about account security, as it means passwords are stored in a reversible form.
– Ghedipunk
9 hours ago
@Ghedipunk to be more precise, it worked with a single random letter added before, and after the real password. Adding a random letter in the middle didn't allow me to log in.
– aMJay
9 hours ago
@Ghedipunk to be more precise, it worked with a single random letter added before, and after the real password. Adding a random letter in the middle didn't allow me to log in.
– aMJay
9 hours ago
I can confirm this too. Someone else please try
– shobhonk
9 hours ago
I can confirm this too. Someone else please try
– shobhonk
9 hours ago
That's an important distinction, with the random letter being before or after (and thanks for editing the question with that clarification as well; it helps)... That can be checked without storing it in a reversible form. With them allowing a bit of a fudge factor like that, it's time for me to generate an even longer password, though... ;-)
– Ghedipunk
9 hours ago
That's an important distinction, with the random letter being before or after (and thanks for editing the question with that clarification as well; it helps)... That can be checked without storing it in a reversible form. With them allowing a bit of a fudge factor like that, it's time for me to generate an even longer password, though... ;-)
– Ghedipunk
9 hours ago
It just decreased the entropy by a few bits.
– Peter A. Schneider
31 mins ago
It just decreased the entropy by a few bits.
– Peter A. Schneider
31 mins ago
add a comment |
2 Answers
2
active
oldest
votes
Facebook is allowing you to make a handful of mistakes to ease the login process. A Facebook engineer explained the process at a conference. The gist of it is that Facebook will try various permutations of the input you submitted and see if they match the hash they have in their databae
For example, if your password is "myRealPassword!" but you submit "MYrEALpASSWORD!" (capslock on, shift inverting capslock). The submitted password obviously doesn't match what they have stored. Rather than reject you flat out, Facebook tries to up the user experience by trying to "correct" a few common mistakes such as inserting a random character before or after, capitalizing (or not) the first character, or mistakenly using capslock. Facebook applies these filters one by one and checks the newly "corrected" password against what they have hashed in their database. If one of the permutations matches, Facebook assumes you simply made a small mistake and authorizes your session.
While worrying at first glance, this is actually still perfectly secure for a few reasons. First and foremost, Facebook is able to do this without storing the password in plaintext because they are transforming your provided (and untrusted) input from the form field and checking if it matches. Secondly, this isn't very helpful for someone trying to bruteforce the password because online attacks are nigh impossible thanks to ratelimiting and captchas. Finally, the odds of an attacker/evil spouse knowing the text of your password and not the capitalization are abysmally small and so the risk created as a result of this feature is equally small.
Should you be worried? No, probably not.
Further reading: https://www.howtogeek.com/402761/facebook-fudges-your-password-for-your-convenience/
answered 9 hours ago
SirensSirens
1,2224 silver badges17 bronze badges
add a comment |
It is long know that Facebook allows you on purpose to log in with the password case reversed or the first character capitalized (see this article). They do this by storing the different hashes of the password. Are you seeing that more differences are allowed?
Apparently, they also have some similar usability features for the email address.
Automatically "correcting" gmail.comm to gmail.com is actually harmless, since there's (currently) no comm tld, so nobody would actually have a valid gmail.comm email address. I am however surprised that they would allow gmadil.com (currently for sale) or a different username, as that could be someone else's email address.
They might have decided that usability is of utter importance and, if there is a log in attempt for an email address for which there is not an account, automatically attempt the log in with the most similar username, but -while not completely bad- it doesn't seem a good approach, as someone else could sign up tomorrow with the ezfxample@gmail.com email and, although unlikely, also use Password123 as password, then what?
Update: This had been tested a few years back by Lukas on Does correcting misspelled usernames create a security risk? and apparently logging in with a misspelled email address only works when you have not deleted Facebook cookies from your earlier session. Thus, it only autocorrects your email address when it knows that you used to log in as example@gmail.com, and otherwise fails.
Note: AndyGrayland had suggested earlier that the cookies could be playing a part of this, but it is now in a deleted answer.
answered 9 hours ago
ÁngelÁngel
10.3k2 gold badges15 silver badges41 bronze badges
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f214814%2fwhy-can-i-log-in-to-my-facebook-account-with-misspelled-email-password%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Facebook is allowing you to make a handful of mistakes to ease the login process. A Facebook engineer explained the process at a conference. The gist of it is that Facebook will try various permutations of the input you submitted and see if they match the hash they have in their databae
For example, if your password is "myRealPassword!" but you submit "MYrEALpASSWORD!" (capslock on, shift inverting capslock). The submitted password obviously doesn't match what they have stored. Rather than reject you flat out, Facebook tries to up the user experience by trying to "correct" a few common mistakes such as inserting a random character before or after, capitalizing (or not) the first character, or mistakenly using capslock. Facebook applies these filters one by one and checks the newly "corrected" password against what they have hashed in their database. If one of the permutations matches, Facebook assumes you simply made a small mistake and authorizes your session.
While worrying at first glance, this is actually still perfectly secure for a few reasons. First and foremost, Facebook is able to do this without storing the password in plaintext because they are transforming your provided (and untrusted) input from the form field and checking if it matches. Secondly, this isn't very helpful for someone trying to bruteforce the password because online attacks are nigh impossible thanks to ratelimiting and captchas. Finally, the odds of an attacker/evil spouse knowing the text of your password and not the capitalization are abysmally small and so the risk created as a result of this feature is equally small.
Should you be worried? No, probably not.
Further reading: https://www.howtogeek.com/402761/facebook-fudges-your-password-for-your-convenience/
answered 9 hours ago
SirensSirens
1,2224 silver badges17 bronze badges
add a comment |
Facebook is allowing you to make a handful of mistakes to ease the login process. A Facebook engineer explained the process at a conference. The gist of it is that Facebook will try various permutations of the input you submitted and see if they match the hash they have in their databae
For example, if your password is "myRealPassword!" but you submit "MYrEALpASSWORD!" (capslock on, shift inverting capslock). The submitted password obviously doesn't match what they have stored. Rather than reject you flat out, Facebook tries to up the user experience by trying to "correct" a few common mistakes such as inserting a random character before or after, capitalizing (or not) the first character, or mistakenly using capslock. Facebook applies these filters one by one and checks the newly "corrected" password against what they have hashed in their database. If one of the permutations matches, Facebook assumes you simply made a small mistake and authorizes your session.
While worrying at first glance, this is actually still perfectly secure for a few reasons. First and foremost, Facebook is able to do this without storing the password in plaintext because they are transforming your provided (and untrusted) input from the form field and checking if it matches. Secondly, this isn't very helpful for someone trying to bruteforce the password because online attacks are nigh impossible thanks to ratelimiting and captchas. Finally, the odds of an attacker/evil spouse knowing the text of your password and not the capitalization are abysmally small and so the risk created as a result of this feature is equally small.
Should you be worried? No, probably not.
Further reading: https://www.howtogeek.com/402761/facebook-fudges-your-password-for-your-convenience/
answered 9 hours ago
SirensSirens
1,2224 silver badges17 bronze badges
add a comment |
Facebook is allowing you to make a handful of mistakes to ease the login process. A Facebook engineer explained the process at a conference. The gist of it is that Facebook will try various permutations of the input you submitted and see if they match the hash they have in their databae
For example, if your password is "myRealPassword!" but you submit "MYrEALpASSWORD!" (capslock on, shift inverting capslock). The submitted password obviously doesn't match what they have stored. Rather than reject you flat out, Facebook tries to up the user experience by trying to "correct" a few common mistakes such as inserting a random character before or after, capitalizing (or not) the first character, or mistakenly using capslock. Facebook applies these filters one by one and checks the newly "corrected" password against what they have hashed in their database. If one of the permutations matches, Facebook assumes you simply made a small mistake and authorizes your session.
While worrying at first glance, this is actually still perfectly secure for a few reasons. First and foremost, Facebook is able to do this without storing the password in plaintext because they are transforming your provided (and untrusted) input from the form field and checking if it matches. Secondly, this isn't very helpful for someone trying to bruteforce the password because online attacks are nigh impossible thanks to ratelimiting and captchas. Finally, the odds of an attacker/evil spouse knowing the text of your password and not the capitalization are abysmally small and so the risk created as a result of this feature is equally small.
Should you be worried? No, probably not.
Further reading: https://www.howtogeek.com/402761/facebook-fudges-your-password-for-your-convenience/
answered 9 hours ago
SirensSirens
1,2224 silver badges17 bronze badges
Facebook is allowing you to make a handful of mistakes to ease the login process. A Facebook engineer explained the process at a conference. The gist of it is that Facebook will try various permutations of the input you submitted and see if they match the hash they have in their databae
For example, if your password is "myRealPassword!" but you submit "MYrEALpASSWORD!" (capslock on, shift inverting capslock). The submitted password obviously doesn't match what they have stored. Rather than reject you flat out, Facebook tries to up the user experience by trying to "correct" a few common mistakes such as inserting a random character before or after, capitalizing (or not) the first character, or mistakenly using capslock. Facebook applies these filters one by one and checks the newly "corrected" password against what they have hashed in their database. If one of the permutations matches, Facebook assumes you simply made a small mistake and authorizes your session.
While worrying at first glance, this is actually still perfectly secure for a few reasons. First and foremost, Facebook is able to do this without storing the password in plaintext because they are transforming your provided (and untrusted) input from the form field and checking if it matches. Secondly, this isn't very helpful for someone trying to bruteforce the password because online attacks are nigh impossible thanks to ratelimiting and captchas. Finally, the odds of an attacker/evil spouse knowing the text of your password and not the capitalization are abysmally small and so the risk created as a result of this feature is equally small.
Should you be worried? No, probably not.
Further reading: https://www.howtogeek.com/402761/facebook-fudges-your-password-for-your-convenience/
answered 9 hours ago
SirensSirens
1,2224 silver badges17 bronze badges
answered 9 hours ago
SirensSirens
1,2224 silver badges17 bronze badges
answered 9 hours ago
SirensSirens
1,2224 silver badges17 bronze badges
answered 9 hours ago
SirensSirens
1,2224 silver badges17 bronze badges
1,2224 silver badges17 bronze badges
add a comment |
add a comment |
It is long know that Facebook allows you on purpose to log in with the password case reversed or the first character capitalized (see this article). They do this by storing the different hashes of the password. Are you seeing that more differences are allowed?
Apparently, they also have some similar usability features for the email address.
Automatically "correcting" gmail.comm to gmail.com is actually harmless, since there's (currently) no comm tld, so nobody would actually have a valid gmail.comm email address. I am however surprised that they would allow gmadil.com (currently for sale) or a different username, as that could be someone else's email address.
They might have decided that usability is of utter importance and, if there is a log in attempt for an email address for which there is not an account, automatically attempt the log in with the most similar username, but -while not completely bad- it doesn't seem a good approach, as someone else could sign up tomorrow with the ezfxample@gmail.com email and, although unlikely, also use Password123 as password, then what?
Update: This had been tested a few years back by Lukas on Does correcting misspelled usernames create a security risk? and apparently logging in with a misspelled email address only works when you have not deleted Facebook cookies from your earlier session. Thus, it only autocorrects your email address when it knows that you used to log in as example@gmail.com, and otherwise fails.
Note: AndyGrayland had suggested earlier that the cookies could be playing a part of this, but it is now in a deleted answer.
answered 9 hours ago
ÁngelÁngel
10.3k2 gold badges15 silver badges41 bronze badges
add a comment |
It is long know that Facebook allows you on purpose to log in with the password case reversed or the first character capitalized (see this article). They do this by storing the different hashes of the password. Are you seeing that more differences are allowed?
Apparently, they also have some similar usability features for the email address.
Automatically "correcting" gmail.comm to gmail.com is actually harmless, since there's (currently) no comm tld, so nobody would actually have a valid gmail.comm email address. I am however surprised that they would allow gmadil.com (currently for sale) or a different username, as that could be someone else's email address.
They might have decided that usability is of utter importance and, if there is a log in attempt for an email address for which there is not an account, automatically attempt the log in with the most similar username, but -while not completely bad- it doesn't seem a good approach, as someone else could sign up tomorrow with the ezfxample@gmail.com email and, although unlikely, also use Password123 as password, then what?
Update: This had been tested a few years back by Lukas on Does correcting misspelled usernames create a security risk? and apparently logging in with a misspelled email address only works when you have not deleted Facebook cookies from your earlier session. Thus, it only autocorrects your email address when it knows that you used to log in as example@gmail.com, and otherwise fails.
Note: AndyGrayland had suggested earlier that the cookies could be playing a part of this, but it is now in a deleted answer.
answered 9 hours ago
ÁngelÁngel
10.3k2 gold badges15 silver badges41 bronze badges
add a comment |
It is long know that Facebook allows you on purpose to log in with the password case reversed or the first character capitalized (see this article). They do this by storing the different hashes of the password. Are you seeing that more differences are allowed?
Apparently, they also have some similar usability features for the email address.
Automatically "correcting" gmail.comm to gmail.com is actually harmless, since there's (currently) no comm tld, so nobody would actually have a valid gmail.comm email address. I am however surprised that they would allow gmadil.com (currently for sale) or a different username, as that could be someone else's email address.
They might have decided that usability is of utter importance and, if there is a log in attempt for an email address for which there is not an account, automatically attempt the log in with the most similar username, but -while not completely bad- it doesn't seem a good approach, as someone else could sign up tomorrow with the ezfxample@gmail.com email and, although unlikely, also use Password123 as password, then what?
Update: This had been tested a few years back by Lukas on Does correcting misspelled usernames create a security risk? and apparently logging in with a misspelled email address only works when you have not deleted Facebook cookies from your earlier session. Thus, it only autocorrects your email address when it knows that you used to log in as example@gmail.com, and otherwise fails.
Note: AndyGrayland had suggested earlier that the cookies could be playing a part of this, but it is now in a deleted answer.
answered 9 hours ago
ÁngelÁngel
10.3k2 gold badges15 silver badges41 bronze badges
It is long know that Facebook allows you on purpose to log in with the password case reversed or the first character capitalized (see this article). They do this by storing the different hashes of the password. Are you seeing that more differences are allowed?
Apparently, they also have some similar usability features for the email address.
Automatically "correcting" gmail.comm to gmail.com is actually harmless, since there's (currently) no comm tld, so nobody would actually have a valid gmail.comm email address. I am however surprised that they would allow gmadil.com (currently for sale) or a different username, as that could be someone else's email address.
They might have decided that usability is of utter importance and, if there is a log in attempt for an email address for which there is not an account, automatically attempt the log in with the most similar username, but -while not completely bad- it doesn't seem a good approach, as someone else could sign up tomorrow with the ezfxample@gmail.com email and, although unlikely, also use Password123 as password, then what?
Update: This had been tested a few years back by Lukas on Does correcting misspelled usernames create a security risk? and apparently logging in with a misspelled email address only works when you have not deleted Facebook cookies from your earlier session. Thus, it only autocorrects your email address when it knows that you used to log in as example@gmail.com, and otherwise fails.
Note: AndyGrayland had suggested earlier that the cookies could be playing a part of this, but it is now in a deleted answer.
answered 9 hours ago
ÁngelÁngel
10.3k2 gold badges15 silver badges41 bronze badges
edited 9 hours ago
answered 9 hours ago
ÁngelÁngel
10.3k2 gold badges15 silver badges41 bronze badges
answered 9 hours ago
ÁngelÁngel
10.3k2 gold badges15 silver badges41 bronze badges
answered 9 hours ago
ÁngelÁngel
10.3k2 gold badges15 silver badges41 bronze badges
10.3k2 gold badges15 silver badges41 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f214814%2fwhy-can-i-log-in-to-my-facebook-account-with-misspelled-email-password%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
If true (and it's a big enough claim that I'm going to want to verify it independently), then yes, everyone should be worried about account security, as it means passwords are stored in a reversible form.
– Ghedipunk
9 hours ago
@Ghedipunk to be more precise, it worked with a single random letter added before, and after the real password. Adding a random letter in the middle didn't allow me to log in.
– aMJay
9 hours ago
I can confirm this too. Someone else please try
– shobhonk
9 hours ago
That's an important distinction, with the random letter being before or after (and thanks for editing the question with that clarification as well; it helps)... That can be checked without storing it in a reversible form. With them allowing a bit of a fudge factor like that, it's time for me to generate an even longer password, though... ;-)
– Ghedipunk
9 hours ago
It just decreased the entropy by a few bits.
– Peter A. Schneider
31 mins ago