the whole world burns

Archive for category 'passwords'

Facebook's autocorrection of password typos


Apparently old news but new to me. Facebook employs a brilliant method to improve password usability:

My understanding for Facebook is that if you fail to log in, they make 3 extra automated attempts:

  • Swap capitalization on first character
  • Swap capitalization on whole input (e.g. caps lock left on)
  • remove last character of password. (e.g. If you hit \ when trying to press enter)

So your password is still stored securely as a salted hash, they just automatically attempt 3 extremely similar passwords if your initial attempt didn't work.

Genius. See also pASSWORD tYPOS and How to Correct Them Securely, with numbers on types of error and security impact of accepting them.

Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes

 # [via]

Short version: of course you need salt, but the real goal is to make brute-forcing infeasible. The best way to accomplish that task is to make your hash function as slow as possible, and able to be slowed even further to compensate for advances in hardware.

AOL's absurdly bad password system


Issues apparently include:

  • Passwords truncated to the first 8 characters
  • Non-alphanumeric characters stripped
  • Stored encrypted (not hashed) in the Windows registry

And various Unix flavours have similar default behaviour?!

Small things, links and miscellany, sparkling with light. Sam's tumblelog.

Related Tags