Assuming they're right, if you don't store passwords in the clear, you'd have to build all acceptable variants of a password when you get the original, then hash and store all of them, then check them all at next login attempt.
If you wanted to add a new kind of "allowable typo" (eg "correct except with capslock") you'd have to wait until the user next logged in to store that variant.
3 comments
[ 3.0 ms ] story [ 10.9 ms ] threadSecurity isn't supposed to be convenient. Autocorrecting passwords sounds like a bad idea all-around and will be exploited.
If you wanted to add a new kind of "allowable typo" (eg "correct except with capslock") you'd have to wait until the user next logged in to store that variant.