Apparently old news but new to me. Facebook employs a brilliant method to improve password usability:

My understanding for Facebook is that if you fail to log in, they make 3 extra automated attempts:

• Swap capitalization on first character
• Swap capitalization on whole input (e.g. caps lock left on)
• remove last character of password. (e.g. If you hit \ when trying to press enter)

So your password is still stored securely as a salted hash, they just automatically attempt 3 extremely similar passwords if your initial attempt didn't work.

Genius. See also pASSWORD tYPOS and How to Correct Them Securely, with numbers on types of error and security impact of accepting them.

Short version: of course you need salt, but the real goal is to make brute-forcing infeasible. The best way to accomplish that task is to make your hash function as slow as possible, and able to be slowed even further to compensate for advances in hardware.

Issues apparently include:

• Passwords truncated to the first 8 characters
• Non-alphanumeric characters stripped
• Stored encrypted (not hashed) in the Windows registry

And various Unix flavours have similar default behaviour?!