[cratermoon]

The problem is that fundamentally, to Facebook, a user's login account is a separate thing from the user's profile. You can delete your account, and with a straight face Facebook can assert you've deleted it. But your profile, the mass of data and content that you put on Facebook with your account, and all the data associated with it through their social graph and algorithms, that never gets deleted.

In a very real sense, "you" still exist in Facebook. That's why when, weeks, months, or years later, when you login, Facebook recognizes you. You create a new "account", and Facebook very conveniently associates everything it knows about you (which it never forgot) with your new account.

[fakedang]

I tested this quite recently actually. I typed my Facebook password to login with all sorts of mistakes, although the core part of it remains the same, with some minor changes (all caps, a capital letter, an extra character, etc). In all cases the passwords were accepted.

Which leads me to think that Facebook passwords might just be stored as searchable text rather than hashes. Granted I'm no cryptography expert though.

[Nilithus]

This was talked about in another HN thread a few years ago https://news.ycombinator.com/item?id=13426544

It's not stored in searchable text rather they simply have some heuristics that they modify the password submitted and retry automatically.

[fakedang]

Thanks. That's a very interesting approach by them.

[cratermoon]

Yikes.