This must be to prevent users from using "password" as the password (and instead making them use the less likely to be guessed "assword", assuming of course that the attacker doesn't have a HP computer).
Joking aside, this exact misspelling is probably way down any brute-force list. So, if your threat model is spammers stealing accounts with common passwords and nobody really trying to hack you in particular, it may be secure enough.