Here are the Stackoverflow discussions I mentioned Ñ )oops I have the 
Espanol keyboard selected=

http://stackoverflow.com/questions/16173328/what-unicode
-normalization-and-other-processing-is-appropriate-for-passwords-w 
http://stackoverflow.com/questions/2798794/how-do-i-properly-implement-
unicode-passwords

Maybe we should not permit unicode passwords: 
  
 
http://stackoverflow.com/questions/1797777/should-i-support-unicode-in-passwords

One issue for passwords is that you might have different Input Methods when 
you use different browsers, making it more difficult to login. Are Input 
Methods much different among browsers?
 We only need to consider browsers, clearly, not other UI's. (please 
correct me if there is any other, say Qt GUI)

   - Chrome: use  input tools http://www.google.com/inputtools/ on Mac, 
   Linux, and Windows
   - Mobile Android:  long-press then slide to select a char
   - Mobile Ios: 
   - I.E.: Microsoft has a few ways to enter Hex codes (unfriendly in my 
   mind) https://en.wikipedia.org/wiki/Unicode_input#In_Microsoft_Windows
   - Firefox: there are 5 addons 
   available 
https://addons.mozilla.org/en-US/firefox/tag/input%20method%20editor
   - Opera, Konqueror, .. .. ..

The issue for usernames is that you could spoof someone else's username, 
and appear to be (impersonate) another person. The attacker can easily 
enter a character which looks the same but has a different Unicode point. 
 Michal, as you say, we would want to normalize the chars. And as you say, 
it is a topic for the dev list.

But how important is this issue? Yes, it is security related. But it is far 
from critical in my mind.


On Wednesday, 20 April 2016 10:22:27 UTC-4, Rick Leir wrote:
>
> There is also a new issue in Trac on this topic. I added two links to 
> Stackoverflow discussions there. 
>
> The issue: supposing a password is mañana. Depending on what client you 
> use, input methods can give you two different UTF8 characters for ñ. As a 
> first step, let's add test case, and check whether it fails. 
>
> My guess (tho I am new to this) is that this is a Django issue not Python. 
> Cheers-- Rick

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/201a0164-82be-40cd-af3d-f64dd272ddca%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to