3 comments

[ 3.0 ms ] story [ 10.9 ms ] thread
“Websites should be changing their password policies to make users’ lives easier. The security degradation is pretty small.”

Security isn't supposed to be convenient. Autocorrecting passwords sounds like a bad idea all-around and will be exploited.

According to the article, they ran simulations and it only provided a .2% increase in likelihood of a breach
Assuming they're right, if you don't store passwords in the clear, you'd have to build all acceptable variants of a password when you get the original, then hash and store all of them, then check them all at next login attempt.

If you wanted to add a new kind of "allowable typo" (eg "correct except with capslock") you'd have to wait until the user next logged in to store that variant.