Here are the Stackoverflow discussions I mentioned Ñ )oops I have the Espanol keyboard selected=
http://stackoverflow.com/questions/16173328/what-unicode -normalization-and-other-processing-is-appropriate-for-passwords-w http://stackoverflow.com/questions/2798794/how-do-i-properly-implement- unicode-passwords Maybe we should not permit unicode passwords: http://stackoverflow.com/questions/1797777/should-i-support-unicode-in-passwords One issue for passwords is that you might have different Input Methods when you use different browsers, making it more difficult to login. Are Input Methods much different among browsers? We only need to consider browsers, clearly, not other UI's. (please correct me if there is any other, say Qt GUI) - Chrome: use input tools http://www.google.com/inputtools/ on Mac, Linux, and Windows - Mobile Android: long-press then slide to select a char - Mobile Ios: - I.E.: Microsoft has a few ways to enter Hex codes (unfriendly in my mind) https://en.wikipedia.org/wiki/Unicode_input#In_Microsoft_Windows - Firefox: there are 5 addons available https://addons.mozilla.org/en-US/firefox/tag/input%20method%20editor - Opera, Konqueror, .. .. .. The issue for usernames is that you could spoof someone else's username, and appear to be (impersonate) another person. The attacker can easily enter a character which looks the same but has a different Unicode point. Michal, as you say, we would want to normalize the chars. And as you say, it is a topic for the dev list. But how important is this issue? Yes, it is security related. But it is far from critical in my mind. On Wednesday, 20 April 2016 10:22:27 UTC-4, Rick Leir wrote: > > There is also a new issue in Trac on this topic. I added two links to > Stackoverflow discussions there. > > The issue: supposing a password is mañana. Depending on what client you > use, input methods can give you two different UTF8 characters for ñ. As a > first step, let's add test case, and check whether it fails. > > My guess (tho I am new to this) is that this is a Django issue not Python. > Cheers-- Rick -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/201a0164-82be-40cd-af3d-f64dd272ddca%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.