<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
{font-family:Vrinda;
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.Default, li.Default, div.Default
{mso-style-name:Default;
margin:0in;
margin-bottom:.0001pt;
text-autospace:none;
font-size:12.0pt;
font-family:"Arial","sans-serif";
color:black;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Arial","sans-serif";
color:#1F497D;
font-weight:normal;
font-style:normal;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#002060;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='color:#002060'>Thanks very much for this, Jonathon. Some of the recommendations in the doc are counterintuitive or surprising to me. I will give it a closer read.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#002060'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#002060'>tex<o:p></o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"><span style='color:#002060'><o:p> </o:p></span></a></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Unicode [mailto:unicode-bounces@corp.unicode.org] <b>On Behalf Of </b>Jonathan Rosenne via Unicode<br><b>Sent:</b> Thursday, April 7, 2022 10:57 PM<br><b>To:</b> unicode@corp.unicode.org<br><b>Subject:</b> RE: global password strategies<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Arial","sans-serif";color:#1F497D'>The issue has been addressed by NIST, in NIST SP 800-63B DIGITAL IDENTITY GUIDELINES: AUTHENTICATION & LIFECYCLE MANAGEMENT: <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Arial","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Arial","sans-serif";color:#1F497D'><a href="https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63b.pdf">https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63b.pdf</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Arial","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Dated June 2017<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Arial","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=Default><b><span style='font-size:11.0pt;color:#02020E'>5.1.1.2 Memorized Secret Verifiers </span></b><span style='font-size:11.0pt;color:#02020E'><o:p></o:p></span></p><p class=Default><span style='font-size:11.5pt;font-family:"Times New Roman","serif"'>Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. All printing ASCII [</span><span style='font-size:11.5pt;font-family:"Times New Roman","serif";color:blue'>RFC 20</span><span style='font-size:11.5pt;font-family:"Times New Roman","serif"'>] characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode [</span><span style='font-size:11.5pt;font-family:"Times New Roman","serif";color:blue'>ISO/ISC 10646</span><span style='font-size:11.5pt;font-family:"Times New Roman","serif"'>] characters SHOULD be accepted as well. To make allowances for likely mistyping, verifiers MAY replace multiple consecutive space characters with a single space character prior to verification, provided that the result is at least 8 characters in length. Truncation of the secret SHALL NOT be performed. For purposes of the above length requirements, each Unicode code point SHALL be counted as a single character. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.5pt;font-family:"Times New Roman","serif"'>If Unicode characters are accepted in memorized secrets, the verifier SHOULD apply the Normalization Process for Stabilized Strings using either the NFKC or NFKD normalization defined in Section 12.1 of Unicode Standard Annex 15 [<span style='color:blue'>UAX 15</span>]. This process is applied before hashing the byte string representing the memorized secret. Subscribers choosing memorized secrets containing Unicode characters SHOULD be advised that some characters may be represented differently by some endpoints, which can affect their ability to authenticate successfully.</span><span style='font-size:14.0pt;font-family:"Arial","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Arial","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Arial","sans-serif";color:#1F497D'>NIST guidelines are widely accepted worldwide, although theoretically “NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal systems, …”<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Arial","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Personally, I use Hebrew passwords in systems that allow it. Since my passwords are all Hebrew I don’t have directionality concerns.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Arial","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Best Regards,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Arial","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Jonathan Rosenne</span><span style='font-size:14.0pt;color:#1F497D'><o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Arial","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Unicode <unicode-bounces@corp.unicode.org> <b>On Behalf Of </b>ag disroot via Unicode<br><b>Sent:</b> Friday, April 8, 2022 7:31 AM<br><b>To:</b> unicode@corp.unicode.org<br><b>Subject:</b> Re: global password strategies<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Since passwords are meant to be typed and not viewed (hence the "•••••"), then you can strip <i>all</i> control characters when you process a password. since this control-character-removal function will run on password creation and on login it should be fine <o:p></o:p></span></p></div></div></body></html>