Skip to main content

TIL Typo Tolerance in Passwords

· 2 min read
Shubh A Chudasama
Shubh A Chudasama
Your neighborhood geek

TIL that some companies allow typo tolerance in passwords. Instead of simply rejecting a login attempt with small mistakes, they accept some common typos like an accidental uppercase or an extra character.

Years ago, while logging into my Gmail (or was it Instagram?) account, I accidentally typed the first character of my password in uppercase, which was incorrect. But, surprisingly, it let me in! I vaguely remember trying a few other variations, like changing the case of a character in the middle of the password, and they worked too. At the time, I thought it was some bug or glitch and forgot about it.

Today, while binge-reading Michael Lynch's blog and link-hopping, I came across this HN post about mistyped passwords and how Facebook handles them:

Our reply: Hi Christopher, We accept four forms of the user's password to help overcome the most common reasons that authentic logins are rejected. In addition to the original password. we also accept the password if a user inadvertently has caps lock enabled, if their mobile device automatically capitalizes the first character of the password, or if an extra character is added to the end of the password. We feel this does not significantly impact the security of the user's password or their account. Thanks. ~ Kurt, Security

A comment links to a research paper on typo-tolerant authentication schemes: pASSWORD tYPOS and How to Correct Them Securely. How interesting!

So, next time you notice a site letting you in with common typos in your password, this could be at play! (or maybe their auth is broken :p)