Facebook foul-up leaves user passwords vulnerable

I just made a small discovery about Facebook passwords: they are not completely case sensitive. If you have characters in your Facebook password (as in, it's not just numbers), there is a second password that will let you log in to the social network.

Earlier today, I needed to check Facebook in Microsoft Internet Explorer 9, my alternative browser to Google Chrome. For whatever reason, I had my caps lock key on. Despite this, I still managed to log in to Facebook just fine.

I did a little investigation and I soon realized what was happening. If you reverse the case of every character in your password, you can still log into Facebook. Seriously, go try it yourself: Facebook Login.

This means that if your password is password1234, you can log in with PASSWORD1234, but not any other combination of lower case and higher case characters. If your password is PaSsWoRd1234, you can log in with pAsSwOrD1234, but not any other combination of lower case and higher case characters.

Even if you have both lower and higher cases in your password, you can still have the caps lock key on when you log in. Just remember to hit the shift key in the right places, and you'll still get in fine. This really isn't a huge security problem, although if someone is trying to brute force your Facebook account, they can technically try significantly fewer passwords.

I don't think this is by design; I have contacted Facebook and asked the social network if it is aware of the issue.