[Tapin]

[ QUOTE ]
I'd reasonably expect that a developer could write a system helpful enough to tell whether an attempt is one or two letters off.

[/ QUOTE ]
I'm sorry, but you know nothing of which you speak.

Good hashing functions change approximately half of the output bits for every bit change in the input. This is Hashing 101. Determining whether a given string was "one or two letters off" requires either a so-weak-as-to-be-pointless hashing algorithm, or a collosal amount of iterative effort that won't be accomplished in real time during a support phone call.

This is all meta-discussion, however, since it's quite apparent that NT's backend password storage is insecure and their developers are unfamiliar with standard operating procedure.

(I'm baffled that they not only can see user's passwords, they can even see user's failed attempts at passwords. Yiiikes.)