Apparently old news but new to me. Facebook employs a brilliant method to improve password usability:
My understanding for Facebook is that if you fail to log in, they make 3 extra automated attempts:
- Swap capitalization on first character
- Swap capitalization on whole input (e.g. caps lock left on)
- remove last character of password. (e.g. If you hit \ when trying to press enter)
So your password is still stored securely as a salted hash, they just automatically attempt 3 extremely similar passwords if your initial attempt didn't work.
Genius. See also pASSWORD tYPOS and How to Correct Them Securely, with numbers on types of error and security impact of accepting them.