Fix a typo: out-out -> opt-out

ChALkeR · web-flow · commit 8f823edd72f7 · 2017-06-22T19:27:20.000+03:00
Thanks to @berekuk for catching that. =).
diff --git a/Gathering-weak-npm-credentials.md b/Gathering-weak-npm-credentials.md
@@ -237,7 +237,7 @@ This list is ordered, by impact (from higher to lower) combined with estimated c
 
  1. **Partial** A proper bruteforce protection mechanism. Getting this one correct is hard, see [here](https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks) for explanation, but even significantly reducing the reachable speed could greatly improve things, combined with other methods.
  1. **Done** ~Monitor overall failed auth requests — that should almost immediately give a hint that a bruteforce attack is running.~
- 1. Notify package authors when a new version of a package they own is packaged — both on the [npmjs.com](https://www.npmjs.com) website (similar to GitHub notifications, for example) and through the email (the email should have an out-out, of course).
+ 1. Notify package authors when a new version of a package they own is packaged — both on the [npmjs.com](https://www.npmjs.com) website (similar to GitHub notifications, for example) and through the email (the email should have an opt-out, of course).
  1. **Done** ~Check for password weakness upon registration and when changing the password. Too short, known weak (from the top-used lists), and passwords containing username of a significant part of it (case-insensitive) should be rejected.~
  1. The existing users should be taken through this check. Perhaps the users with different impact in downloads/month should be treated differently, and while it will probably be enough to just send warnings to users without any packages at all, it's probably worth to actually reset weak password for accounts who have publish access to significantly popular and crucial packages. This has to be redone from time to time (note that the password lists, the rules, the download stats and the user-package relations will be changing over time).
  1. **[Soon](http://blog.npmjs.org/post/160809090595/basic-auth-to-be-limited-soon)** ~Deprecate password-based authorization (that is, `_password`/`_auth`) in the client in favor of token (`_authToken`) one — [#9866](https://github.com/npm/npm/issues/9866).~
