On Thu, Dec 24, 2020 at 10:21 AM <2qdxy4rzwzuui...@potatochowder.com> wrote:
> If you're going to wander out of ASCII, then don't forget to address
> Unicode confusables.  Nothing is more embarrassing than scribbling your
> complicated password on a sticky note and then not being able to tell
> the o's from the ο's.  ;-)

TBH I don't think that's really our consideration. My recommendation
is: First do a basic Unicode normalization (probably NFC, but there
are good arguments for NFD instead), then just use it as-is.
Everything else is the user's choice. And you shouldn't ever have to
worry about a maximum length; after any checks such as "both passwords
must be the same" (on account creation), the only thing you'll need to
do is encode it UTF-8 and hand it to bcrypt.

But by using simpler password requirements (an 11-character minimum is
good in 2020, but maybe in the future you might want to extend that to
12), you reduce the temptation to use confusable letters in it.
Context is everything.

ChrisA
-- 
https://mail.python.org/mailman/listinfo/python-list

Reply via email to