Unicode in passwords

Jonathan Rosenne jonathan.rosenne at gmail.com
Wed Sep 30 23:11:32 CDT 2015

For languages such as Java, passwords should be handled as byte arrays rather than strings. This may make it difficult to apply normalization. 


Jonathan Rosenne


From: Unicode [mailto:unicode-bounces at unicode.org] On Behalf Of Clark S. Cox III
Sent: Thursday, October 01, 2015 2:16 AM
To: Hans Åberg
Cc: unicode at unicode.org; John O'Conner
Subject: Re: Unicode in passwords



On 2015/09/30, at 13:29, Hans Åberg <haberg-1 at telia.com> wrote:


On 30 Sep 2015, at 18:33, John O'Conner <jsoconner at gmail.com> wrote:

Can you recommend any documents to help me understand potential issues (if any) for password policies and validation methods that allow characters from more "exotic" portions of the Unicode space?

On UNIX computers, one computes a hash (like SHA-256), which is then used to authenticate the password up to a high probability. The hash is stored in the open, but it is not known how to compute the password from the hash, so knowing the hash does not easily allow authentication.

So if the password is 


… normalized and then …

encoded in say UTF-8 and then hashed, it would seem to take care of most problems.


You really wouldn’t want “Schlüssel” and “Schlüssel” being different passwords, would you? (assuming that my mail client and/or OS is not interfering, the first is NFC, while the second is NFD)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://unicode.org/pipermail/unicode/attachments/20151001/dc774542/attachment.html>

More information about the Unicode mailing list