[CJefferson]

One thing I read (and checked, this was in the past) Facebook did was even do simple white stripping on passwords, as well as checking with caps-lock switched on.

While it technically might make passwords very slightly less secure, it makes life much easier for users, so I personally think it's worth the cost.

[ecesena]

See "pASSWORD tYPOS and How to Correct Them Securely" by Dropbox: https://ieeexplore.ieee.org/abstract/document/7546536

We also implemented it at Pinterest, I think it's a pretty good idea for a few common cases, especially for users typing their password on mobile.

Before doing this though, you want to make sure you have rate limits in place against brute force password checks for account takeover.

[mtoddsmith]

Wouldn't that interfere with a password manager that auto-saves?

[shawabawa3]

no

basically the hashing algorithm they use strips out certain information, which means that e.g.

"PaSSWord123" "pAsswORD123" "PaSSWord123 " etc

all hash to the same value, and so are equivalent.

[sib]

>> "PaSSWord123" "pAsswORD123"

Wow - non-case-sensitive passwords seem like a bad idea...

[CJefferson]

Not it's still case sensitive, you can just flip all the character's case. You are only losing "one bit" of password information.

[cratermoon]

> it's still case sensitive, you can just flip all the character's case.

How is "flipping all the character's case" different from case-insensitive?

[CJefferson]

They flip all character's case in one go, and also capitalise just the first character.

So, if your password was:

fishCAT

They would accept fishCAT, and also FISHcat and FishCAT, and that's it.

[anoncake]

Pretty sure they don't do that for authentication.

[CJefferson]

They do, you can see a discussion here: https://security.stackexchange.com/questions/68013/facebook-...

[anoncake]

I didn't know it's still possible for Facebook to disappoint me.