115
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 30 May 2025
115 points (98.3% liked)
privacy
4980 readers
220 users here now
Big tech and governments are monitoring and recording your eating activities. c/Privacy provides tips and tricks to protect your privacy against global surveillance.
Partners:
- community.nicfab.it/c/privacy
founded 3 years ago
MODERATORS
I've always wondered about Unicode normalization and passwords. I don't know a ton about it, but I think it's that things like
öand be represented as one character for the whole thing or two, one for the umlaut and another foro. That means that there are at least two sequences of code points that make the same... Glyph? I forget the word. The thing you see on the screen.Anyway, what if you have that
öin your password and one browser/keyboard/os/lovecraftian nightmare makes the mark one way and the other does it the other way? They aren't the same bytes. So they won't hash the same and you just can't tell why. Without digging super deep.There are standard ways to normalize the Unicode but I don't imagine most password systems use them. Maybe it's some intermediate layer. But I kind of doubt it. Those are complex, evolving standards.
Oh. And that "evolving" thing might make trouble for password systems. Are these standards backwards compatible in the way they'd need to be for a normalization upgrade not to break any passwords?
Oh God, what nightmare have I found?
I’m gonna add a 𓂸 to my password.
Better yet of you include users - there are so many lookalike characters (and the additionally all those diacritics to make more lookalikes) that look the same, so that a human most certainly can't/won't tell them apart, but that are completely different codepoints.
I � Unicode!