> On 2015/09/30, at 13:29, Hans Åberg <[email protected]> wrote: > > >> On 30 Sep 2015, at 18:33, John O'Conner <[email protected]> wrote: >> >> Can you recommend any documents to help me understand potential issues (if >> any) for password policies and validation methods that allow characters from >> more "exotic" portions of the Unicode space? > > On UNIX computers, one computes a hash (like SHA-256), which is then used to > authenticate the password up to a high probability. The hash is stored in the > open, but it is not known how to compute the password from the hash, so > knowing the hash does not easily allow authentication. > > So if the password is
… normalized and then … > encoded in say UTF-8 and then hashed, it would seem to take care of most > problems. You really wouldn’t want “Schlüssel” and “Schlüssel” being different passwords, would you? (assuming that my mail client and/or OS is not interfering, the first is NFC, while the second is NFD)
