If a user types hUNTER2 and your service corrects it to Hunter2, have you reduced security? How much will it help?
This fun paper explores this Q, finding you can preserve security and fix 10% of logins:
pASSWORD tYPOS and How to Correct Them Securely https://www.ieee-security.org/TC/SP2016/papers/0824a799.pdf
miniblog.
Related Posts
I find it odd that people recommend Docker for sandboxing agentic coding tools. Isn't it easier to just create a separate user account on the machine?
It's an established security boundary, and viewing output is easy (just make the user's home directory world readable).
I'm intrigued to see that Google has quantified that new code is generally buggier and less secure than code that has existed in your codebase for longer:
I'm a fan of the Software Unscripted podcast, and I particularly enjoyed this recent episode about CrowdStrike and security culture: https://www.youtube.com/watch?v=rzjaZssBEiI
The guest (Kelly Shortridge) compares attackers to lawyers trying to find loopholes. This is such a great analogy.