Flawed Facebook Passwords

How it came to be that Facebook chose to make your password 94x weaker than it need be

There's truth to that statement, there's also a lot of background information I'll cover so you understand it, inside and out. As I covered in my encryption post, I described the process wherein a password input by the user is scrambled up. This process is one way and it's called hashing. I like to think of it as "hash-browns". You take a potato, and you scramble it up, and make something completely new. Another way to think of it is "rehashing" like when you "rehash" a project you've done, again, turning it into something new.
Hashbrowns on plate
I'll admit this is a loosely fit analogy...
Consider the following hashes created using MD5
[?] I picked MD5 purely because it's one of the shorter ones. MD5 is perfectly suited for a blog post because it sure isn't suited for securing passwords. Every single company that hashes their passwords with MD5 is a liability. Read more here.
  'password' becomes: '5F4DCC3B5AA765D61D8327DEB882CF99'
  'PASSWORD' becomes: '319F4D26E3C536B5DD871BB2C52E3178'
  'PASSword' becomes: '64BEBDCE805A0EBE778B88E632B77042'
  'passWORD' becomes: 'B291559957FFC706FC38D49B5512055C'
Few things to note. Hashes are always the same length and wildly change despite the input changing only ever so slightly. They also create the same hash every time. Remember how I said hashes are one way? Hashing is "simply"
[?] I really want to make clear that this is a gross simplification and that current hash methods are short of magic. If you want your head to spin, look into hashing methods that are quantum computer proof...
a lot of math that can reliably produce hashes. The math is set up such that even if you steal a hash, you can't calculate the original password that created it.
A screenshot of the results of a brute force attack
Here, a popular security tool is used to find the passwords of some hashes
Surely you've heard of "brute force attacks". That's what hackers do with hashes. If they have a hash, they go "does the hash of 'aaaaaaaa' equal the hash I have stolen", "what about 'aaaaaaab'", until they've tried every permutation. I'll rehash (bad dum tish) how hashing and passwords go hand in hand. This is how passwords are stored. When you create an account. The service does not save the password but rather, the hash of your password. Then, when you log in, the service hashes your plain text password and then compares the hash to the one saved in the database. Passwords aren't compared, only the hashes. If they match, then you've got the correct password and you'll be signed in.
Facebook's password database will be a table with two coloums, and billions of rows. The first entry may read 'JohnSmith1 : D03A2AB540E8AACF18BBAFC12C4F1569'. It's for this reason that Facebook, or whomever, can't send you your password when you forget it. Facebook simply does not store your password, and yet it checks it to log you in. When you enter your password on Facebook, it has to redo all the math and then can compare hashes (which is NP)
[?] Perhaps you've heard about the P vs NP computational question. Perhaps you haven't. Perhaps you want to make million dollars. This video was easily the best explained I've come accross on the topic.
. Hot PSA: if a website or service or app ever sends you your password in an email or by SMS or whatever... run... run farrrrrrrrrrrr away
[?] Not before submitting it here though!
. The only way that's possible is if they store passwords (not hashed) which is a HUGE security nono
[?] As much as I'd love to say it doesn't happen, I personally come across it nigh weekly.
Tmobile tweet bragging about security
T-mobile get exposed for using plain text passwords, T-mobile says it's fine and brags that their security is "amazingly good", subsequently gets hacked and becomes a laughing stock. Don't get arrogant with security researchers, you don't want to piss us off.
With that background information out of the way, here's the strange design decision that I discovered Facebook uses. Log out of Facebook, then log in again, BUT, log in with your password in uppercase. You would be logged in. Try this on ANY other service / app / website, it will say your password is incorrect. Turns out, Facebook stores four hashes for each user. Your regular password hash, your password in lowercase hash, your password in uppercase hash and your password in reversed case hash. In other words, if my password were 'PASSword', I'd be an idiot. If your password is 'password', you're the reason I have job security. With my password 'PASSword', as explained before, these passwords would also log me in to Facebook: 'password', 'PASSWORD' and 'passWORD'. Entropy: A measure of the disorder or randomness in a closed system. - Wikipedia (now referenced by courts!)
Entropy. Here, it's how complex your password is. I'm sure you've come across hundreds of places that say "you need at least one number" or "you need at least one special character" or "you need at least 10 characters" or "you need at least one capital" (which is strange because my password: 'canberra' didn't work (yes that was a joke (yes, me having to tell you it was a joke shows just how bad it was (how many nested parentheses are grammatically legal?))). All these requirements are to boost your passwords entropy, to make it more complex, to make it harder to guess.
Woolworths having a 6 to 8 character password limit
Woolworths Australia, abysmally abhorrent. You may as well write: "choose a password that takes anywhere between 8 milliseconds and 5 seconds to crack"
Facebook lets you use the following characters to construct your password: '#abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~!@$&()'
[?] Frankly, in full disclosure, I'm only guessing here...
(which has got to be a contender for the worst hashtag ever). Each character in your password could be any one of those 60 characters. So to calculate the number of possible passwords that are 8 characters long, we simply do 60^8 = 167961600000000. But hang on, we know that Facebook will let you in with a lowercase password, so we can remove the capitals from the character set. Now there are only 34 possible characters in each position. With 34 characters and a password of 8 characters, the number of possible passwords is now 34^8 = 1785793904896. 167961600000000 / 1785793904896 ~= 94. Facebook passwords eight characters long are 94 times weaker than they should be. This becomes 15610x weaker for 16 character passwords!
Facebook's justification is that if you've accidentally left caps lock on, but still got your password right, it didn't want to bother you, so it just lets you through. It's an interesting implementation, I suppose it has its merits, it's just highly unconventional. Security is and always will be a game of security vs usability. You could have 100 length passwords for each website and be super secure, but you'll also be sitting there for 10 minutes just to log in.
A comic explaining how a passphrase has much higher entropy
Some quality comics over there at xkcd!
Security leaders have recently started recommending you have passphrases rather than passwords. 'JF*)#gbh' takes 3 hours to crack. 'correct horse battery staple' takes 15 octillion years and '$ally had a little LAMB!' takes 21 octillion years. Those times are for conventional computers. We now have working quantum computers that in the wrong hands will destroy all protections the internet currently employs to secure data. So stay tuned for whatever follows from that! Otherwise, don't forget to set good, unique passwords, and next time you log into Facebook, why not give an uppercase version of your password a go?