On Thu, Dec 24, 2020 at 10:21 AM <2qdxy4rzwzuui...@potatochowder.com> wrote: > If you're going to wander out of ASCII, then don't forget to address > Unicode confusables. Nothing is more embarrassing than scribbling your > complicated password on a sticky note and then not being able to tell > the o's from the ο's. ;-)
TBH I don't think that's really our consideration. My recommendation is: First do a basic Unicode normalization (probably NFC, but there are good arguments for NFD instead), then just use it as-is. Everything else is the user's choice. And you shouldn't ever have to worry about a maximum length; after any checks such as "both passwords must be the same" (on account creation), the only thing you'll need to do is encode it UTF-8 and hand it to bcrypt. But by using simpler password requirements (an 11-character minimum is good in 2020, but maybe in the future you might want to extend that to 12), you reduce the temptation to use confusable letters in it. Context is everything. ChrisA -- https://mail.python.org/mailman/listinfo/python-list