8

Super brilliant idea for Windows: when logging on with a password that is only slightly mistyped, or with the consecutively appended number from the previous month, it should still be accepted. So much more usability - Microsoft just cannot reject that!

Comments
  • 15
    Taking the dumb idea seriously turned up something interesting: if you're using hashing to implement this, that would need a hash that preserves some notion of distance (i.e. points from the input space that are "close" to each other are mapped to points in the hash space that are also "close" to each other). I was sure that was already a thing, so a bit of search engine-ing around led me to this:
    https://en.m.wikipedia.org/wiki/...

    And this rather interesting paper:
    https://arxiv.org/abs/1703.07867

    I knew about dimensionality reduction techniques like LLE and t-SNE, but I've never studied hashes like this before, so thanks :p
  • 14
    Early days of online banking I knew I mistyped my password but got in.

    So I logged out and in a bunch of times to figure out that they really only used 8 password characters and the rest were ignored.
  • 2
    @N00bPancakes fam what.

    That's wild
  • 6
    @N00bPancakes I had been typing my "whole" password for like a month without realising it was truncated 1 character. I didn't realise immediately because my password was 10 characters long and the site truncated it to 9. (The 10th character wasn't accepted, the field had a length limit.)
  • 4
    @N00bPancakes that was not to uncommon when password length was discussed but the old database format used fixed length fields.
  • 1
    I'll put this idea on the chaotic good alignment. Letting the user in with a similar password still sounds scary to me, I'd rather have this feature to not increment the rate limiter.

    Even that sounds like it could be make it easier for bruteforcing
  • 1
    @Awlex agreed, and once you allow longer passwords in the input you always have the option to use hashing to make use of the length and still fit it in the field, you could even put the hashing in the form it self.

    This would allow for an easier to remember password that still uses more actual symbols and there for more entropy.

    If you limit the input, you’ve locked that avenue.
  • 1
    @RememberMe or just store multiple hashes based on the most common typing mistakes.
Add Comment