Does Facebook store passwords insecurely?

In 2017, I had stumbled on an issue with Facebook: while you are entering your password, adding a superfluous extra character at the end of the password would STILL allow you to login to https://Facebook.com.

I first discovered this in 2018 and reported this to Facebook via their technical support portal on February 13, 2018, at 10:12 AM Eastern time. My report number at that time was 10116201341234184.

The simple steps I suggested to them were:

1. Visit Facebook.com in a browser.
2. Enter your username and password.
3. Add one additional character to the end of a password (letter, number, or special character).

You will still be granted access.

Adding TWO characters does not appear to work.

This was Facebook’s reply:

“We accept several forms of the user’s password to help overcome the most common reasons that authentic logins are rejected. In addition to the original password, we also accept the password if a user inadvertently has caps lock enabled, if their mobile device automatically capitalizes the first character of the password, or if an extra character is added to the beginning or end of the password. We feel this does not significantly impact the security of the user’s password or their account.”

Peter, Facebook Security

I’ve often wondered: does this mean passwords are not securely hashed and salted by Facebook and could potentially be leaked in the event of a hack?

Given the recent uptick in concerns with “that’s just how it works” not being good enough (Linux’ CUPS service, DNS AFXR), I thought this might be worth thinking about once again.