-
-
Notifications
You must be signed in to change notification settings - Fork 635
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Discussion of unicode password requirement V2.1.4 #691
Comments
Current (v4.0.1) unicode requirement:
To watch entire password ruleset, use: #683 Discussion: rules for password format and content |
I have always struggled with unicode/emojis being a compulsory requirement here and this Twitter thread makes me think that even more so. I would consider softening this requirement somehow to focus on not blocking any characters. |
To be clear - problem is not with unicode, problem is with emojis (choosing visually pictures instead type letters). |
I couldn't agree more with the original thread and comments here. As someone who doesn't get emojis or uses them, it's all foreign to me but I see the appeal for wanting to use them. The arguments about warning of using them, however, should be added. In my mind, it should read something like: Verify that no character set is blocked from being used as a source for passwords. Whilst it is important to note that the chosen input method may vary depending on situation, a single Unicode code point is considered a character, so 12 emoji or 64 kanji characters should be valid and permitted. Thoughts? |
I would just suggest “any printable Unicode character including language neutral characters such as spaces and Emoji”
Not all User Agents handle control characters well. And I politely suggest that the “12 emoji or 64 kanji” bit confuses the issue a bit.
…--
Jim Manico
@manicode
On Dec 8, 2019, at 3:34 PM, Daniel Cuthbert ***@***.***> wrote:
I couldn't agree more with the original thread and comments here. As someone who doesn't get emojis or uses them, it's all foreign to me but I see the appeal for wanting to use them. The arguments about warning of using them, however, should be added. In my mind, it should read something like:
Verify that no character set is blocked from being used as a source for passwords. Whilst it is important to note that the chosen input method may vary depending on situation, a single Unicode code point is considered a character, so 12 emoji or 64 kanji characters should be valid and permitted.
Thoughts?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
Short, simple and covers all. Any objections? |
Just for pointing it out - if we include "spaces", we going to merge requirements V2.1.3 and V2.1.4
I actually like do-not-trim-spaces-from-password as separate requirement. |
So having read the original NIST, I think that these requirements should actually be as follows:
Any further comments? |
+1
…--
Jim Manico
@manicode
Secure Coding Education
+1 (808) 652-3805
On Dec 22, 2019, at 2:54 PM, Josh Grossman ***@***.***> wrote:
So having read the original NIST, I think that these requirements should actually be as follows:
V2.1.3 Verify that password truncation is not performed. However, consecutive multiple spaces MAY optionally be coalesced.
V2.1.4 Verify that any printable Unicode character, including language neutral characters such as spaces and Emojis are permitted in passwords
Any further comments?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
Maybe change coalesced to a easier word? :)
…--
Jim Manico
@manicode
Secure Coding Education
+1 (808) 652-3805
On Dec 22, 2019, at 2:54 PM, Josh Grossman ***@***.***> wrote:
So having read the original NIST, I think that these requirements should actually be as follows:
V2.1.3 Verify that password truncation is not performed. However, consecutive multiple spaces MAY optionally be coalesced.
V2.1.4 Verify that any printable Unicode character, including language neutral characters such as spaces and Emojis are permitted in passwords
Any further comments?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
👍🏼👍🏼
…--
Jim Manico
@manicode
Secure Coding Education
+1 (808) 652-3805
On Dec 25, 2019, at 2:43 PM, Josh Grossman ***@***.***> wrote:
V2.1.3 Verify that password truncation is not performed. However, consecutive multiple spaces may be replaced by a single space.
V2.1.4 Verify that any printable Unicode character, including language neutral characters such as spaces and Emojis are permitted in passwords
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
Opened a PR which I will merge in a week or so in case anyone has final comments. |
https://twitter.com/FakeUnicode/status/1192245294429130752?s=19
The text was updated successfully, but these errors were encountered: