global password strategies

Tex textexin at
Mon Apr 4 18:23:08 CDT 2022

What is the modern recommendation for globalization of passwords?


1)      If your application (web, mobile, desktop, etc.) is used worldwide, which characters do you allow or restrict?


2)      How do you deal with writing direction? 

My concerns are that confirming and displaying a password might look different depending on how well the browser or OS implements RTL writing direction or features like dir=auto. A user may then not be able to log in because they are instructed to type it in a way that is inconsistent with what they have seen on the screen.


3)      Do you allow control or other invisible characters that a user may be used to typing in certain phrases? If these are allowed, how to indicate to the user that they have been used?


4)      Also, should passwords be Unicode normalized? Seems damned if you do and if you don’t. Do text input methods generate test the same way or is it possible for a user to create a password on one system and then not be able to log in on another device?  (Not normalization related, but I have experienced difficulty logging in to foreign systems, in hotels etc., when the keyboard is different and it takes a while to realize I have to abandon muscle memory and remember the actual password and look for the keys on the keyboard.)




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Unicode mailing list