Interesting. I'm certainly more concerned about how they store passwords etc. Don't have much issue with the inverse caps and first letter capitalisation thing. Not so sure about the extra character bit not least as it's not totally clear what that might mean in practice (do they simply compare to the hash the string entered without its last character)?
Depends on where they do the translations. If they store all n versions of the password in the db or if they store the good version and do the transform 4 times as they check it against the db.
It'll take billy1991#, bIlly1991#, billy1991#@, BILLY1991#L, on and on and on
Doing napkin math, it's 2 ^ 5 for the first 5 chars, so 32 combinations, and 52 alpha, 25 numeric + special characters that can be added to the end (77). 32 combinations times 77 end possibilities = 2464 possible "correct" passwords.
I'm crazy tired and not thinking straight so someone check my math.
I think you have that part wrong. Sounds like they only accept an extra character at the end in addition to making some of it case insensitive. Where did you get the idea of accepting different numbers?
only different numbers in my calc was as an extra character at the end
so, Billy1991#3
i haven't fully read up on this as I haven't had a fb account in years, so if it's not true that all the alpha can be the wrong case, obviously that changes the calculations
right, so passwordx and passwordy would both be accepted, which is 2 variations of password. I'm not sure why you would think they don't both count in a list of incorrect passwords that are accepted?
Sorry, I misread your post, I thought you were saying something like else. Yes, it accepts a lot of variations on the correct password. I'll be glad when someone figures out how to do authentication without passwords right.
i can't imagine many facebook passwords are brute forced. i'd be surprised if accepting these extra ones are of much concern at all.
i suppose it might matter if someone is doing a targeted guess, like they've seen your password before or they have a similar password of yours from another site. but that's kind of a longshot.
Around 60% of people reuse passwords, according to the first internet link on google. So if you can make slight modifications to known passwords, you're in like flint.
My understanding is that they won't take the 2nd one. They said the 1st letter can be capped/uncapped, or all the letters can be capslocked/un, which is 4 combos, so it's 4 * 77 = 308 accepted strings for that pw (in fact, 308 for any pw containing more than one letter and beginning with a letter).
