Hacker News new | past | comments | ask | show | jobs | submit login

No, you don't ignore the case, you swap it and try again. This could be implemented as a browser extension:

- User types pA$$WORD1 and clicks Sign In

- Frontend sends that to the server

- Server responds "incorrect"

- Frontend tries again with Pa$$word1

- Server responds "correct" and user is logged in




So now every wrong password is using 2 attempts?

You either have to double the number of failed attempts before a lockout or deal with users getting locked out much quicker.

Thus causing more frustration than if you'd done nothing at all to address the capslock issue (that they're going to have to notice and fix anyway at some point, when they inevitably need to type again)


Well, in Facebook's case, it's more than double (it appears to be 3 or 4 at most), and it is done smartly (the reverse caps try is only performed if you typed in your password with capslock turned on), and with a proper system to throttle attempts before locking an account, it seems reasonable to me. See https://security.stackexchange.com/a/214815 and its sources.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: