In 2017, I had stumbled on an issue with Facebook: while you are entering your password, adding a superfluous extra character at the end of the password would STILL allow you to login to https://Facebook.com.
I first discovered this in 2018 and reported this to Facebook via their technical support portal on February 13, 2018, at 10:12 AM Eastern time. My report number at that time was 10116201341234184.
The simple steps I suggested to them were:
1. Visit Facebook.com in a browser.
2. Enter your username and password.
3. Add one additional character to the end of a password (letter, number, or special character).
You will still be granted access.
Adding TWO characters does not appear to work.
This was Facebook’s reply:
I’ve often wondered: does this mean passwords are not securely hashed and salted by Facebook and could potentially be leaked in the event of a hack?
Given the recent uptick in concerns with “that’s just how it works” not being good enough (Linux’ CUPS service, DNS AFXR), I thought this might be worth thinking about once again.