Typos, passwords, and Facebook’s elephant memory

Over the weekend I changed my Facebook password. All I did was add one character to my old password, so all this week I’ve been accidentally typing my old password out of habit. Each time, I’ve gotten this message:

The first day I disregarded it, re-typed my new (but barely different) password, and went on my merry way. By the third day I was wondering if somehow Facebook was detecting the fact that I was getting my password wrong, but only by a single character (after all, I was), and interpreting it as a typo and showing me this message even though it wasn’t the “email or username” that was wrong.

How would that work? Well, I don’t know. Of course, computers can detect when one word is similar to another (i.e. a typo, like when Word shows a red line under a mistyped word), but every web developer knows you never store users’ passwords–instead you (usually) store a cryptographic hash of the password, which can never be reversed to find out the password. This is a big topic I can’t do justice to here (if you’d like there’s lots to learn at Wikipedia), but suffice it to say a normal hash can’t be compared to a wrong password to see if it’s just a typo. I wondered if Facebook’s engineers had implemented some kind of advanced hash that makes such comparisons possible, but in the end it was moot—because I was wrong. Facebook wasn’t looking at my password at all. Read the rest of this entry »