On Thu, Apr 21, 2016 at 07:30:07AM -0700, Rick Leir wrote: > Here are the Stackoverflow discussions I mentioned Ñ )oops I have the > Espanol keyboard selected= > > http://stackoverflow.com/questions/16173328/what-unicode > -normalization-and-other-processing-is-appropriate-for-passwords-w > http://stackoverflow.com/questions/2798794/how-do-i-properly-implement- > unicode-passwords > > Maybe we should not permit unicode passwords: > > > http://stackoverflow.com/questions/1797777/should-i-support-unicode-in-passwords > > One issue for passwords is that you might have different Input Methods when > you use different browsers, making it more difficult to login. Are Input > Methods much different among browsers? > We only need to consider browsers, clearly, not other UI's. (please > correct me if there is any other, say Qt GUI) > > - Chrome: use input tools http://www.google.com/inputtools/ on Mac, > Linux, and Windows > - Mobile Android: long-press then slide to select a char > - Mobile Ios: > - I.E.: Microsoft has a few ways to enter Hex codes (unfriendly in my > mind) https://en.wikipedia.org/wiki/Unicode_input#In_Microsoft_Windows > - Firefox: there are 5 addons > available > https://addons.mozilla.org/en-US/firefox/tag/input%20method%20editor > - Opera, Konqueror, .. .. .. > > The issue for usernames is that you could spoof someone else's username, > and appear to be (impersonate) another person. The attacker can easily > enter a character which looks the same but has a different Unicode point. > Michal, as you say, we would want to normalize the chars. And as you say, > it is a topic for the dev list. > > But how important is this issue? Yes, it is security related. But it is far > from critical in my mind.
It's not important until this happens: https://labs.spotify.com/2013/06/18/creative-usernames/ Question is whether this is something that Django should handle by default, or it's up to each application developer to take care of it. A quick and superficial search through the archives of django-developers didn't yield much on this topic, I only found one thread about this from way back in 2008, and as I skimmed through the thread, it doesn't seem the security aspects were considered: https://groups.google.com/d/topic/django-developers/WW28RIVyU3k/discussion Michal -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/20160421144157.GH1129%40koniiiik.org. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: Digital signature
