Why can I log in to my facebook account with misspelled email/passwordDoes correcting misspelled usernames create a security risk?Password on login ideaIs this login flow via an authenticated email account safe?How to suspend a silent oberserver from Facebook account?Do you need to restrict the possible characters of a username?Does correcting misspelled usernames create a security risk?Copying the email address to a forgotten password pageStrange messages from Gmail regarding my recovery email address changingI have continued access of my Facebook account from a particular iPad/IP Address - how do I stop it?Logged out of Facebook on all devices on a sudden. Should I be worried about being hacked?Windows 10 seems to load session before user log in, is it safe?
How does LIDAR avoid getting confused in an environment being scanned by hundreds of other LIDAR?
Is there a way to upload multiple discount counts into CiviDiscount?
Traveling from Germany to other countries by train?
Non-small objects in categories
Identify Batman without getting caught
What is the probability of a biased coin coming up heads given that a liar is claiming that the coin came up heads?
Why does capacitance not depend on the material of the plates?
Did Captain America make out with his niece?
Only charge capacitor when button pushed then turn on LED momentarily with capacitor when button released
Write The Shortest Program To Check If A Binary Tree Is Balanced
Minimum effort to detect a solved Rubik's Cube
How can I perform a deterministic physics simulation?
Plato and the knowledge of the forms
Getting matrices labels
Homogenous Equation ODE
Did silent film actors actually say their lines or did they simply improvise “dialogue” while being filmed?
What is an air conditioner compressor hard start kit and how does it work?
Tile the chessboard with four-colored triominoes
What does the ISO setting for mechanical 35mm film cameras actually do?
Do any languages mention the top limit of a range first?
Will a research paper be retracted if the code (which was made publicly available) is shown to have a flaw in the logic?
Ubuntu show wrong disk sizes, how to solve it?
What could prevent players from leaving an island?
In MTG, was there ever a five-color deck that worked well?
Why can I log in to my facebook account with misspelled email/password
Does correcting misspelled usernames create a security risk?Password on login ideaIs this login flow via an authenticated email account safe?How to suspend a silent oberserver from Facebook account?Do you need to restrict the possible characters of a username?Does correcting misspelled usernames create a security risk?Copying the email address to a forgotten password pageStrange messages from Gmail regarding my recovery email address changingI have continued access of my Facebook account from a particular iPad/IP Address - how do I stop it?Logged out of Facebook on all devices on a sudden. Should I be worried about being hacked?Windows 10 seems to load session before user log in, is it safe?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I've been playing around different login forms online lately to see how they work. One of them was facebook login form. When I logged out of my account my email and password were autocompleted by my browser, then I decided to misspell my email and see what would happen if try to login.
To my surprise I logged in with no problem after changing my email from example@gmail.com to example@gmail.comm, I then started experimenting with different misspelling errors and I had no problem logging in as long as it was not too far off my real email. I tried with changing domain name as well example@gmadil.coom, my email prefix ezfxample@gmail.com etc.
Then I also tried misspelling my password and as long as it was not too far off my real password I can log in no problem (with password it worked when adding one random letter before or after the real password, not when adding letter in the middle of it).
I also checked actual data send in request by looking at it in chrome dev tools and in fact it was the wrong data sent.
How can this be? Should I be worried about my accounts security?
authentication facebook
asked 8 hours ago
aMJayaMJay
6481 gold badge5 silver badges12 bronze badges
add a comment |
I've been playing around different login forms online lately to see how they work. One of them was facebook login form. When I logged out of my account my email and password were autocompleted by my browser, then I decided to misspell my email and see what would happen if try to login.
To my surprise I logged in with no problem after changing my email from example@gmail.com to example@gmail.comm, I then started experimenting with different misspelling errors and I had no problem logging in as long as it was not too far off my real email. I tried with changing domain name as well example@gmadil.coom, my email prefix ezfxample@gmail.com etc.
Then I also tried misspelling my password and as long as it was not too far off my real password I can log in no problem (with password it worked when adding one random letter before or after the real password, not when adding letter in the middle of it).
I also checked actual data send in request by looking at it in chrome dev tools and in fact it was the wrong data sent.
How can this be? Should I be worried about my accounts security?
authentication facebook
asked 8 hours ago
aMJayaMJay
6481 gold badge5 silver badges12 bronze badges
If true (and it's a big enough claim that I'm going to want to verify it independently), then yes, everyone should be worried about account security, as it means passwords are stored in a reversible form.
– Ghedipunk
8 hours ago
@Ghedipunk to be more precise, it worked with a single random letter added before, and after the real password. Adding a random letter in the middle didn't allow me to log in.
– aMJay
8 hours ago
I can confirm this too. Someone else please try
– shobhonk
8 hours ago
That's an important distinction, with the random letter being before or after (and thanks for editing the question with that clarification as well; it helps)... That can be checked without storing it in a reversible form. With them allowing a bit of a fudge factor like that, it's time for me to generate an even longer password, though... ;-)
– Ghedipunk
8 hours ago
add a comment |
I've been playing around different login forms online lately to see how they work. One of them was facebook login form. When I logged out of my account my email and password were autocompleted by my browser, then I decided to misspell my email and see what would happen if try to login.
To my surprise I logged in with no problem after changing my email from example@gmail.com to example@gmail.comm, I then started experimenting with different misspelling errors and I had no problem logging in as long as it was not too far off my real email. I tried with changing domain name as well example@gmadil.coom, my email prefix ezfxample@gmail.com etc.
Then I also tried misspelling my password and as long as it was not too far off my real password I can log in no problem (with password it worked when adding one random letter before or after the real password, not when adding letter in the middle of it).
I also checked actual data send in request by looking at it in chrome dev tools and in fact it was the wrong data sent.
How can this be? Should I be worried about my accounts security?
authentication facebook
asked 8 hours ago
aMJayaMJay
6481 gold badge5 silver badges12 bronze badges
I've been playing around different login forms online lately to see how they work. One of them was facebook login form. When I logged out of my account my email and password were autocompleted by my browser, then I decided to misspell my email and see what would happen if try to login.
To my surprise I logged in with no problem after changing my email from example@gmail.com to example@gmail.comm, I then started experimenting with different misspelling errors and I had no problem logging in as long as it was not too far off my real email. I tried with changing domain name as well example@gmadil.coom, my email prefix ezfxample@gmail.com etc.
Then I also tried misspelling my password and as long as it was not too far off my real password I can log in no problem (with password it worked when adding one random letter before or after the real password, not when adding letter in the middle of it).
I also checked actual data send in request by looking at it in chrome dev tools and in fact it was the wrong data sent.
How can this be? Should I be worried about my accounts security?
authentication facebook
authentication facebook
asked 8 hours ago
aMJayaMJay
6481 gold badge5 silver badges12 bronze badges
asked 8 hours ago
aMJayaMJay
6481 gold badge5 silver badges12 bronze badges
edited 8 hours ago
aMJay
asked 8 hours ago
aMJayaMJay
6481 gold badge5 silver badges12 bronze badges
asked 8 hours ago
aMJayaMJay
6481 gold badge5 silver badges12 bronze badges
asked 8 hours ago
aMJayaMJay
6481 gold badge5 silver badges12 bronze badges
6481 gold badge5 silver badges12 bronze badges
If true (and it's a big enough claim that I'm going to want to verify it independently), then yes, everyone should be worried about account security, as it means passwords are stored in a reversible form.
– Ghedipunk
8 hours ago
@Ghedipunk to be more precise, it worked with a single random letter added before, and after the real password. Adding a random letter in the middle didn't allow me to log in.
– aMJay
8 hours ago
I can confirm this too. Someone else please try
– shobhonk
8 hours ago
That's an important distinction, with the random letter being before or after (and thanks for editing the question with that clarification as well; it helps)... That can be checked without storing it in a reversible form. With them allowing a bit of a fudge factor like that, it's time for me to generate an even longer password, though... ;-)
– Ghedipunk
8 hours ago
add a comment |
If true (and it's a big enough claim that I'm going to want to verify it independently), then yes, everyone should be worried about account security, as it means passwords are stored in a reversible form.
– Ghedipunk
8 hours ago
@Ghedipunk to be more precise, it worked with a single random letter added before, and after the real password. Adding a random letter in the middle didn't allow me to log in.
– aMJay
8 hours ago
I can confirm this too. Someone else please try
– shobhonk
8 hours ago
That's an important distinction, with the random letter being before or after (and thanks for editing the question with that clarification as well; it helps)... That can be checked without storing it in a reversible form. With them allowing a bit of a fudge factor like that, it's time for me to generate an even longer password, though... ;-)
– Ghedipunk
8 hours ago
If true (and it's a big enough claim that I'm going to want to verify it independently), then yes, everyone should be worried about account security, as it means passwords are stored in a reversible form.
– Ghedipunk
8 hours ago
If true (and it's a big enough claim that I'm going to want to verify it independently), then yes, everyone should be worried about account security, as it means passwords are stored in a reversible form.
– Ghedipunk
8 hours ago
@Ghedipunk to be more precise, it worked with a single random letter added before, and after the real password. Adding a random letter in the middle didn't allow me to log in.
– aMJay
8 hours ago
@Ghedipunk to be more precise, it worked with a single random letter added before, and after the real password. Adding a random letter in the middle didn't allow me to log in.
– aMJay
8 hours ago
I can confirm this too. Someone else please try
– shobhonk
8 hours ago
I can confirm this too. Someone else please try
– shobhonk
8 hours ago
That's an important distinction, with the random letter being before or after (and thanks for editing the question with that clarification as well; it helps)... That can be checked without storing it in a reversible form. With them allowing a bit of a fudge factor like that, it's time for me to generate an even longer password, though... ;-)
– Ghedipunk
8 hours ago
That's an important distinction, with the random letter being before or after (and thanks for editing the question with that clarification as well; it helps)... That can be checked without storing it in a reversible form. With them allowing a bit of a fudge factor like that, it's time for me to generate an even longer password, though... ;-)
– Ghedipunk
8 hours ago
add a comment |
2 Answers
2
active
oldest
votes
Facebook is allowing you to make a handful of mistakes to ease the login process. A Facebook engineer explained the process at a conference. The gist of it is that Facebook will try various permutations of the input you submitted and see if they match the hash they have in their databae
For example, if your password is "myRealPassword!" but you submit "MYrEALpASSWORD!" (capslock on, shift inverting capslock). The submitted password obviously doesn't match what they have stored. Rather than reject you flat out, Facebook tries to up the user experience by trying to "correct" a few common mistakes such as inserting a random character before or after, capitalizing (or not) the first character, or mistakenly using capslock. Facebook applies these filters one by one and checks the newly "corrected" password against what they have hashed in their database. If one of the permutations matches, Facebook assumes you simply made a small mistake and authorizes your session.
While worrying at first glance, this is actually still perfectly secure for a few reasons. First and foremost, Facebook is able to do this without storing the password in plaintext because they are transforming your provided (and untrusted) input from the form field and checking if it matches. Secondly, this isn't very helpful for someone trying to bruteforce the password because online attacks are nigh impossible thanks to ratelimiting and captchas. Finally, the odds of an attacker/evil spouse knowing the text of your password and not the capitalization are abysmally small and so the risk created as a result of this feature is equally small.
Should you be worried? No, probably not.
Further reading: https://www.howtogeek.com/402761/facebook-fudges-your-password-for-your-convenience/
answered 8 hours ago
SirensSirens
1,1024 silver badges16 bronze badges
add a comment |
It is long know that Facebook allows you on purpose to log in with the password case reversed or the first character capitalized (see this article). They do this by storing the different hashes of the password. Are you seeing that more differences are allowed?
Apparently, they also have some similar usability features for the email address.
Automatically "correcting" gmail.comm to gmail.com is actually harmless, since there's (currently) no comm tld, so nobody would actually have a valid gmail.comm email address. I am however surprised that they would allow gmadil.com (currently for sale) or a different username, as that could be someone else's email address.
They might have decided that usability is of utter importance and, if there is a log in attempt for an email address for which there is not an account, automatically attempt the log in with the most similar username, but -while not completely bad- it doesn't seem a good approach, as someone else could sign up tomorrow with the ezfxample@gmail.com email and, although unlikely, also use Password123 as password, then what?
Update: This had been tested a few years back by Lukas on Does correcting misspelled usernames create a security risk? and apparently logging in with a misspelled email address only works when you have not deleted Facebook cookies from your earlier session. Thus, it only autocorrects your email address when it knows that you used to log in as example@gmail.com, and otherwise fails.
Note: AndyGrayland had suggested earlier that the cookies could be playing a part of this, but it is now in a deleted answer.
answered 8 hours ago
ÁngelÁngel
10.2k2 gold badges15 silver badges41 bronze badges
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f214814%2fwhy-can-i-log-in-to-my-facebook-account-with-misspelled-email-password%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Facebook is allowing you to make a handful of mistakes to ease the login process. A Facebook engineer explained the process at a conference. The gist of it is that Facebook will try various permutations of the input you submitted and see if they match the hash they have in their databae
For example, if your password is "myRealPassword!" but you submit "MYrEALpASSWORD!" (capslock on, shift inverting capslock). The submitted password obviously doesn't match what they have stored. Rather than reject you flat out, Facebook tries to up the user experience by trying to "correct" a few common mistakes such as inserting a random character before or after, capitalizing (or not) the first character, or mistakenly using capslock. Facebook applies these filters one by one and checks the newly "corrected" password against what they have hashed in their database. If one of the permutations matches, Facebook assumes you simply made a small mistake and authorizes your session.
While worrying at first glance, this is actually still perfectly secure for a few reasons. First and foremost, Facebook is able to do this without storing the password in plaintext because they are transforming your provided (and untrusted) input from the form field and checking if it matches. Secondly, this isn't very helpful for someone trying to bruteforce the password because online attacks are nigh impossible thanks to ratelimiting and captchas. Finally, the odds of an attacker/evil spouse knowing the text of your password and not the capitalization are abysmally small and so the risk created as a result of this feature is equally small.
Should you be worried? No, probably not.
Further reading: https://www.howtogeek.com/402761/facebook-fudges-your-password-for-your-convenience/
answered 8 hours ago
SirensSirens
1,1024 silver badges16 bronze badges
add a comment |
Facebook is allowing you to make a handful of mistakes to ease the login process. A Facebook engineer explained the process at a conference. The gist of it is that Facebook will try various permutations of the input you submitted and see if they match the hash they have in their databae
For example, if your password is "myRealPassword!" but you submit "MYrEALpASSWORD!" (capslock on, shift inverting capslock). The submitted password obviously doesn't match what they have stored. Rather than reject you flat out, Facebook tries to up the user experience by trying to "correct" a few common mistakes such as inserting a random character before or after, capitalizing (or not) the first character, or mistakenly using capslock. Facebook applies these filters one by one and checks the newly "corrected" password against what they have hashed in their database. If one of the permutations matches, Facebook assumes you simply made a small mistake and authorizes your session.
While worrying at first glance, this is actually still perfectly secure for a few reasons. First and foremost, Facebook is able to do this without storing the password in plaintext because they are transforming your provided (and untrusted) input from the form field and checking if it matches. Secondly, this isn't very helpful for someone trying to bruteforce the password because online attacks are nigh impossible thanks to ratelimiting and captchas. Finally, the odds of an attacker/evil spouse knowing the text of your password and not the capitalization are abysmally small and so the risk created as a result of this feature is equally small.
Should you be worried? No, probably not.
Further reading: https://www.howtogeek.com/402761/facebook-fudges-your-password-for-your-convenience/
answered 8 hours ago
SirensSirens
1,1024 silver badges16 bronze badges
add a comment |
Facebook is allowing you to make a handful of mistakes to ease the login process. A Facebook engineer explained the process at a conference. The gist of it is that Facebook will try various permutations of the input you submitted and see if they match the hash they have in their databae
For example, if your password is "myRealPassword!" but you submit "MYrEALpASSWORD!" (capslock on, shift inverting capslock). The submitted password obviously doesn't match what they have stored. Rather than reject you flat out, Facebook tries to up the user experience by trying to "correct" a few common mistakes such as inserting a random character before or after, capitalizing (or not) the first character, or mistakenly using capslock. Facebook applies these filters one by one and checks the newly "corrected" password against what they have hashed in their database. If one of the permutations matches, Facebook assumes you simply made a small mistake and authorizes your session.
While worrying at first glance, this is actually still perfectly secure for a few reasons. First and foremost, Facebook is able to do this without storing the password in plaintext because they are transforming your provided (and untrusted) input from the form field and checking if it matches. Secondly, this isn't very helpful for someone trying to bruteforce the password because online attacks are nigh impossible thanks to ratelimiting and captchas. Finally, the odds of an attacker/evil spouse knowing the text of your password and not the capitalization are abysmally small and so the risk created as a result of this feature is equally small.
Should you be worried? No, probably not.
Further reading: https://www.howtogeek.com/402761/facebook-fudges-your-password-for-your-convenience/
answered 8 hours ago
SirensSirens
1,1024 silver badges16 bronze badges
Facebook is allowing you to make a handful of mistakes to ease the login process. A Facebook engineer explained the process at a conference. The gist of it is that Facebook will try various permutations of the input you submitted and see if they match the hash they have in their databae
For example, if your password is "myRealPassword!" but you submit "MYrEALpASSWORD!" (capslock on, shift inverting capslock). The submitted password obviously doesn't match what they have stored. Rather than reject you flat out, Facebook tries to up the user experience by trying to "correct" a few common mistakes such as inserting a random character before or after, capitalizing (or not) the first character, or mistakenly using capslock. Facebook applies these filters one by one and checks the newly "corrected" password against what they have hashed in their database. If one of the permutations matches, Facebook assumes you simply made a small mistake and authorizes your session.
While worrying at first glance, this is actually still perfectly secure for a few reasons. First and foremost, Facebook is able to do this without storing the password in plaintext because they are transforming your provided (and untrusted) input from the form field and checking if it matches. Secondly, this isn't very helpful for someone trying to bruteforce the password because online attacks are nigh impossible thanks to ratelimiting and captchas. Finally, the odds of an attacker/evil spouse knowing the text of your password and not the capitalization are abysmally small and so the risk created as a result of this feature is equally small.
Should you be worried? No, probably not.
Further reading: https://www.howtogeek.com/402761/facebook-fudges-your-password-for-your-convenience/
answered 8 hours ago
SirensSirens
1,1024 silver badges16 bronze badges
answered 8 hours ago
SirensSirens
1,1024 silver badges16 bronze badges
answered 8 hours ago
SirensSirens
1,1024 silver badges16 bronze badges
answered 8 hours ago
SirensSirens
1,1024 silver badges16 bronze badges
1,1024 silver badges16 bronze badges
add a comment |
add a comment |
It is long know that Facebook allows you on purpose to log in with the password case reversed or the first character capitalized (see this article). They do this by storing the different hashes of the password. Are you seeing that more differences are allowed?
Apparently, they also have some similar usability features for the email address.
Automatically "correcting" gmail.comm to gmail.com is actually harmless, since there's (currently) no comm tld, so nobody would actually have a valid gmail.comm email address. I am however surprised that they would allow gmadil.com (currently for sale) or a different username, as that could be someone else's email address.
They might have decided that usability is of utter importance and, if there is a log in attempt for an email address for which there is not an account, automatically attempt the log in with the most similar username, but -while not completely bad- it doesn't seem a good approach, as someone else could sign up tomorrow with the ezfxample@gmail.com email and, although unlikely, also use Password123 as password, then what?
Update: This had been tested a few years back by Lukas on Does correcting misspelled usernames create a security risk? and apparently logging in with a misspelled email address only works when you have not deleted Facebook cookies from your earlier session. Thus, it only autocorrects your email address when it knows that you used to log in as example@gmail.com, and otherwise fails.
Note: AndyGrayland had suggested earlier that the cookies could be playing a part of this, but it is now in a deleted answer.
answered 8 hours ago
ÁngelÁngel
10.2k2 gold badges15 silver badges41 bronze badges
add a comment |
It is long know that Facebook allows you on purpose to log in with the password case reversed or the first character capitalized (see this article). They do this by storing the different hashes of the password. Are you seeing that more differences are allowed?
Apparently, they also have some similar usability features for the email address.
Automatically "correcting" gmail.comm to gmail.com is actually harmless, since there's (currently) no comm tld, so nobody would actually have a valid gmail.comm email address. I am however surprised that they would allow gmadil.com (currently for sale) or a different username, as that could be someone else's email address.
They might have decided that usability is of utter importance and, if there is a log in attempt for an email address for which there is not an account, automatically attempt the log in with the most similar username, but -while not completely bad- it doesn't seem a good approach, as someone else could sign up tomorrow with the ezfxample@gmail.com email and, although unlikely, also use Password123 as password, then what?
Update: This had been tested a few years back by Lukas on Does correcting misspelled usernames create a security risk? and apparently logging in with a misspelled email address only works when you have not deleted Facebook cookies from your earlier session. Thus, it only autocorrects your email address when it knows that you used to log in as example@gmail.com, and otherwise fails.
Note: AndyGrayland had suggested earlier that the cookies could be playing a part of this, but it is now in a deleted answer.
answered 8 hours ago
ÁngelÁngel
10.2k2 gold badges15 silver badges41 bronze badges
add a comment |
It is long know that Facebook allows you on purpose to log in with the password case reversed or the first character capitalized (see this article). They do this by storing the different hashes of the password. Are you seeing that more differences are allowed?
Apparently, they also have some similar usability features for the email address.
Automatically "correcting" gmail.comm to gmail.com is actually harmless, since there's (currently) no comm tld, so nobody would actually have a valid gmail.comm email address. I am however surprised that they would allow gmadil.com (currently for sale) or a different username, as that could be someone else's email address.
They might have decided that usability is of utter importance and, if there is a log in attempt for an email address for which there is not an account, automatically attempt the log in with the most similar username, but -while not completely bad- it doesn't seem a good approach, as someone else could sign up tomorrow with the ezfxample@gmail.com email and, although unlikely, also use Password123 as password, then what?
Update: This had been tested a few years back by Lukas on Does correcting misspelled usernames create a security risk? and apparently logging in with a misspelled email address only works when you have not deleted Facebook cookies from your earlier session. Thus, it only autocorrects your email address when it knows that you used to log in as example@gmail.com, and otherwise fails.
Note: AndyGrayland had suggested earlier that the cookies could be playing a part of this, but it is now in a deleted answer.
answered 8 hours ago
ÁngelÁngel
10.2k2 gold badges15 silver badges41 bronze badges
It is long know that Facebook allows you on purpose to log in with the password case reversed or the first character capitalized (see this article). They do this by storing the different hashes of the password. Are you seeing that more differences are allowed?
Apparently, they also have some similar usability features for the email address.
Automatically "correcting" gmail.comm to gmail.com is actually harmless, since there's (currently) no comm tld, so nobody would actually have a valid gmail.comm email address. I am however surprised that they would allow gmadil.com (currently for sale) or a different username, as that could be someone else's email address.
They might have decided that usability is of utter importance and, if there is a log in attempt for an email address for which there is not an account, automatically attempt the log in with the most similar username, but -while not completely bad- it doesn't seem a good approach, as someone else could sign up tomorrow with the ezfxample@gmail.com email and, although unlikely, also use Password123 as password, then what?
Update: This had been tested a few years back by Lukas on Does correcting misspelled usernames create a security risk? and apparently logging in with a misspelled email address only works when you have not deleted Facebook cookies from your earlier session. Thus, it only autocorrects your email address when it knows that you used to log in as example@gmail.com, and otherwise fails.
Note: AndyGrayland had suggested earlier that the cookies could be playing a part of this, but it is now in a deleted answer.
answered 8 hours ago
ÁngelÁngel
10.2k2 gold badges15 silver badges41 bronze badges
edited 8 hours ago
answered 8 hours ago
ÁngelÁngel
10.2k2 gold badges15 silver badges41 bronze badges
answered 8 hours ago
ÁngelÁngel
10.2k2 gold badges15 silver badges41 bronze badges
answered 8 hours ago
ÁngelÁngel
10.2k2 gold badges15 silver badges41 bronze badges
10.2k2 gold badges15 silver badges41 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f214814%2fwhy-can-i-log-in-to-my-facebook-account-with-misspelled-email-password%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
If true (and it's a big enough claim that I'm going to want to verify it independently), then yes, everyone should be worried about account security, as it means passwords are stored in a reversible form.
– Ghedipunk
8 hours ago
@Ghedipunk to be more precise, it worked with a single random letter added before, and after the real password. Adding a random letter in the middle didn't allow me to log in.
– aMJay
8 hours ago
I can confirm this too. Someone else please try
– shobhonk
8 hours ago
That's an important distinction, with the random letter being before or after (and thanks for editing the question with that clarification as well; it helps)... That can be checked without storing it in a reversible form. With them allowing a bit of a fudge factor like that, it's time for me to generate an even longer password, though... ;-)
– Ghedipunk
8 hours ago