Does Facebook store plain-text passwords?

Let's hope and assume that Facebook stores only hashes of current password (and potentially previous passwords).

Here is what they can do:

  1. user sets first password to "first" and fb stores hash("first").

  2. later on, users resets password and is asked to provide new password "First2"

  3. Facebook can generate bunch of passwords (similar to the new one): ["First2", "fIrst2", "firSt2", ... "first2", ... "first", ... ] and and then compare hash of each with the stored hash.

This is the only solution that comes to my mind. Any other?


I wouldn't know if they do (don't even use Facebook), but it's also possible that they use Hardware Security Modules (HSM) for their cryptoprocessing that don't store hashed passwords but merely reversibly encrypt them. With the volume of authorization requests they have to deal with, this would make perfect sense, as it's orders of magnitude faster than secure (read: slow) password hashing, while still offering safe password storage.

HSMs could then be programmed to compare stored and new password as an input of one of their functions and merely return result of it (could even be a boolean value in our case), with the original password never even transmitted or stored in plaintext anywhere, besides their internal memory (which is tamper resistant). This is usually referred to as an onboard secure key and application storage/processing.

By the way, many banks use HSMs because a proper implementation of it also requires physical security for the devices themselves and the way they're accessed (plus, they are rather costly), but this obviously provides a great deal more flexibility in the way passwords can be processed securely without them ever being disclosed.


There's only one correct answer to this. Nobody knows (except Facebook).

Facebook could store your Facebook password in plaintext, but there also might be some scheme that uses fuzzy hashes or pre-computed hashes of similar passwords.

There is really no way of knowing unless we were to break into Facebook and audit all of their assets.