global password strategies

Tex textexin at
Fri Apr 8 01:42:03 CDT 2022

Thanks very much for this, Jonathon. Some of the recommendations in the doc are counterintuitive or surprising to me. I will give it a closer read.




From: Unicode [mailto:unicode-bounces at] On Behalf Of Jonathan Rosenne via Unicode
Sent: Thursday, April 7, 2022 10:57 PM
To: unicode at
Subject: RE: global password strategies




Dated June 2017 Memorized Secret Verifiers 

Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. All printing ASCII [RFC 20] characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode [ISO/ISC 10646] characters SHOULD be accepted as well. To make allowances for likely mistyping, verifiers MAY replace multiple consecutive space characters with a single space character prior to verification, provided that the result is at least 8 characters in length. Truncation of the secret SHALL NOT be performed. For purposes of the above length requirements, each Unicode code point SHALL be counted as a single character. 

If Unicode characters are accepted in memorized secrets, the verifier SHOULD apply the Normalization Process for Stabilized Strings using either the NFKC or NFKD normalization defined in Section 12.1 of Unicode Standard Annex 15 [UAX 15]. This process is applied before hashing the byte string representing the memorized secret. Subscribers choosing memorized secrets containing Unicode characters SHOULD be advised that some characters may be represented differently by some endpoints, which can affect their ability to authenticate successfully.


NIST guidelines are widely accepted worldwide, although theoretically “NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal systems, …”


Personally, I use Hebrew passwords in systems that allow it. Since my passwords are all Hebrew I don’t have directionality concerns.


Best Regards,


Jonathan Rosenne


From: Unicode <unicode-bounces at> On Behalf Of ag disroot via Unicode
Sent: Friday, April 8, 2022 7:31 AM
To: unicode at
Subject: Re: global password strategies


Since passwords are meant to be typed and not viewed (hence the "•••••"), then you can strip all control characters when you process a password. since this control-character-removal function will run on password creation and on login it should be fine 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Unicode mailing list