Log in to Facebook with your caps lock key enabled.
Did it work?
Was that your correct password?
Why isn’t anyone mad about this?
I hadn’t heard about this before, but to play devil’s advocate for a bit, I think it’s a good decision on their part. 🙂
Obviously security vs. convenience is already a trade-off (for instance, password complexity requirements, password change policies, etc.), and accepting case-reversed passwords is cutting down the search space by less than 1 bit (since there are passwords that don’t contain any letters). In exchange for this IMHO tiny reduction in the required search space, facebook gets to remove a huge (at their scale) number of user problems and complaints.
Although I don’t have any large-scale data on this, the times I’ve seen lists of passwords that have been exposed, it seems clear that the vast majority of passwords are all lower-case anyway (presumably the convenience of not having to hit the Shift key in junction). A sample along these lines would be the ‘top 50’ from the gawker fiasco:
Quickly skimming through those 50 passwords, the only upper-case character I see is a capital ‘P’ in the entry ‘Password’ – admittedly a small sample set, but I think it would make it reasonable to believe that lower-case is by far the dominate usage in passwords.
Another way of looking at it is the cost-benefit analysis, where the marginal security benefit of enforcing only-correct-and-not-reversed case would seem to be dominated by the marginal cost of turning those user scenarios into failures, frustrating users, and causing headaches for them and sometimes facebook (support, negative press).
David Platt’s entry in the July 2011 MSDN mag would seem to think along these lines:
He references a 2.5-year-old paper from MSR @ http://research.microsoft.com/apps/pubs/default.aspx?id=80436
All that said, the above is very much just my “devil’s advocate” knee-jerk take on it. I really haven’t thought through it enough to say if I personally agree or disagree with their choice on this, but I’d have to admit that I don’t (at least currently) see it as ‘obviously incorrect’ in terms of real-world security, even if it is from an academic/theoretical point of view. 🙂
Ack! sorry the formatting was so horrible on that comment 🙁 I got spoiled by the ‘live preview’ of sites like StackOverflow, I think 🙂
Comments are closed.