Reference no: EM133499475
Case: Someone recently pointed out to me that Facebook and a few other websites have a rather fascinating feature in their login process: if you inadvertently have caps-lock turned on when entering your password, it will still log you in. For instance, if my password is h0rsebattery, then the system will also log me in if I enter H0RSEBATTERY as my password (but not H0rSeBaTTerY). This got me wondering how they implemented this feature and whether this feature is a security risk.
If Facebook stored each user's password in the clear in their database, it would be easy for them to provide this feature. They could check a password entered into their website against both the stored password and a capslocked-version of the stored password. However, storing passwords in the clear is a major security no-no. Fortunately, Facebook doesn't store passwords in the clear is a major security no-no. (The conventional defense is to store a hash of the password instead of the password P itself. For example, a website might store the hash h(P), where h(.) is a cryptographic one-way hash function. When the user enters a password P', the system hashes it and then compares h(P') against the stored hash. However, with this conventional approach, if you have capslock on when you enter your password, the hashes won't match.)
My next thought was that maybe Facebook has some Javascript running in your browser that tests whether the caps-lock is enabled and, if so, undoes the effect of the capslock key. However, it turns out that this is not the case.
It also occurred to me that maybe Facebook is looking at the username, and if the username is in all capitals, they un-capslock the password before checking it against the hashed version. However, a quick test confirmed that this is not what they are doing: I can still log on with my username in all lowercase but with the capslock enabled when I type the password.
So, this is a bit of a puzzler. It raises an obvious question: is it possible to implement this feature, without major loss of security, and subject to the above constraints (no client-side Javascript, no uppercase/lowercase checks on the username, no passwords stored in the clear in persistent storage anywhere)? More precisely, please answer two variations of this question, for two different scenarios:
- On Windows and Linux, capslock reverses the case of all letters. Thus, clOwN becomes CLoWn if you type it with capslock enabled. Can you provide the feature described above for Windows/Linux users without major loss of security? If yes, explain how, and quantify how much security is lost compared to the traditional method of storing the password in hashed form. If no, explain why not.
- On Macs, capslock upper-cases all letters. Thus, clOwN becomes CLOWN if you type it with capslock enabled. Can you provide the feature described above for Mac users without major loss of security? If yes, explain how, and quantify how much security is lost compared to the traditional method of storing the password in hashed form. If no, explain why not.