Typos, passwords, and Facebook’s elephant memory

Over the weekend I changed my Facebook password. All I did was add one character to my old password, so all this week I’ve been accidentally typing my old password out of habit. Each time, I’ve gotten this message:

The first day I disregarded it, re-typed my new (but barely different) password, and went on my merry way. By the third day I was wondering if somehow Facebook was detecting the fact that I was getting my password wrong, but only by a single character (after all, I was), and interpreting it as a typo and showing me this message even though it wasn’t the “email or username” that was wrong.

How would that work? Well, I don’t know. Of course, computers can detect when one word is similar to another (i.e. a typo, like when Word shows a red line under a mistyped word), but every web developer knows you never store users’ passwords–instead you (usually) store a cryptographic hash of the password, which can never be reversed to find out the password. This is a big topic I can’t do justice to here (if you’d like there’s lots to learn at Wikipedia), but suffice it to say a normal hash can’t be compared to a wrong password to see if it’s just a typo. I wondered if Facebook’s engineers had implemented some kind of advanced hash that makes such comparisons possible, but in the end it was moot—because I was wrong. Facebook wasn’t looking at my password at all.

See, I was making an assumption: that I was typing my username correctly. Could I be so dumb? Actually I thought I was being kind of clever. See, Facebook allows dots (periods) in usernames. Mine is jordan.running. But when you type in a Facebook profile URL it doesn’t really care about the dots. Whether you go to facebook.com/jordanrunning or /jor.dan.run.nin.g it’ll cleverly redirect you to the right place, i.e. facebook.com/jordan.running. This knowledge in hand, I’ve always just typed “jordanrunning” (no dot—a keystroke saved is a keystroke earned) into the login form and gotten in just fine, even though I had typed the “wrong” username. So I assumed that Facebook considered “jordanrunning” to be wholly equivalent to “jordan.running” for logging in, and that the message I got was due solely to my new password. But then I tried using my “real” username, with the dot, and my old password, and I got a different message:

So what’s happening? Finally it dawned on me, and I felt dumb for not realizing it right away: With a cookie, Facebook remembers the last person who logged in on your computer, even if that person logged out. If a login fails—regardless of whether it’s the username or password that’s wrong—it checks the cookie first, and if it sees that the username that was typed in is a likely typo for the last logged-in username, it shows the “you entered a slight misspelling” message. Sure enough, when I tried the same steps in a Chrome Incognito window (no cookies) I got the incorrect password page instead of the typo page. I’d expect the same result on a computer (or browser) I’d never used before–unless the last person to use it had a username really similar to mine.

Confused? Here’s a flowchart of what (I think) the Facebook authentication process looks like (click to embiggen):

It’s interesting to see how much thought has gone into a feature seemingly as simple as “we think you made a typo in your username.” As for the security or privacy implications of this, you may draw your own conclusions, as my interest was primarily in how it works. I give Facebook the benefit of a doubt more often than a lot of savvy folks, but nothing here sticks out to me as risky or imprudent.