jonathon wrote:
On Wed, Apr 9, 2008 at 4:38 AM, Scott Meyers wrote:
I know my protest is futile, but I just can't cope with places that won't let
me use whatever I want as a password.
+1
If this means what I think it does (that you've added a vote for this issue),
thank you.
Whlst I can't speak for the software that the site uses, most software
for the web is incapable of capable handlining the entire Unicode
range of glyphs, without adding patches.
It doesn't need to: no "handling" is necessary. What the client software
accepts (the web browser) and the web server sees need not be the same at all.
The client can map the input (some string of bits) into some form that it knows
the server understands and then transmit that. The glyphs are immaterial,
because the only thing the server really needs to see is a string of bits.
There is no need to interpret the password in any way. Either it's the correct
string of bits or it's not. It doesn't matter what they represent or whether
they can be processed as text or anything else. If the server wants to limit
the password length, the client can hash the user input down to this length
using a one-way hash. This allows clients to have long passwords if they want
to, but allows servers to limit the space they use to store them. The only
thing that's lost is the ability for the server to produce the password in its
original cleartext form, and it's generally considered bad security practice to
do that, anyway.
Setting things up so that people can enter their arbitrary passwords using
different browsers and different keyboards and different locales probably adds
some complications, but it's not anything that can't be overcome with reasonable
effort. Anyway, it's certainly nothing that can be used to justify prohibiting
an underbar as the first character, 32 characters as the length limit, or a
space character as part of the password.
Scott
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
