On Thu, Apr 21, 2016 at 07:30:07AM -0700, Rick Leir wrote: > Here are the Stackoverflow discussions I mentioned Ñ )oops I have the > Espanol keyboard selected= > > http://stackoverflow.com/questions/16173328/what-unicode > -normalization-and-other-processing-is-appropriate-for-passwords-w > http://stackoverflow.com/questions/2798794/how-do-i-properly-implement- > unicode-passwords > > Maybe we should not permit unicode passwords: > > > http://stackoverflow.com/questions/1797777/should-i-support-unicode-in-passwords > > One issue for passwords is that you might have different Input Methods when > you use different browsers, making it more difficult to login. Are Input > Methods much different among browsers? > We only need to consider browsers, clearly, not other UI's. (please > correct me if there is any other, say Qt GUI) > > - Chrome: use input tools http://www.google.com/inputtools/ on Mac, > Linux, and Windows > - Mobile Android: long-press then slide to select a char > - Mobile Ios: > - I.E.: Microsoft has a few ways to enter Hex codes (unfriendly in my > mind) https://en.wikipedia.org/wiki/Unicode_input#In_Microsoft_Windows > - Firefox: there are 5 addons > available > https://addons.mozilla.org/en-US/firefox/tag/input%20method%20editor > - Opera, Konqueror, .. .. .. > > The issue for usernames is that you could spoof someone else's username, > and appear to be (impersonate) another person. The attacker can easily > enter a character which looks the same but has a different Unicode point. > Michal, as you say, we would want to normalize the chars. And as you say, > it is a topic for the dev list. > > But how important is this issue? Yes, it is security related. But it is far > from critical in my mind.
It's not important until this happens: https://labs.spotify.com/2013/06/18/creative-usernames/ Question is whether this is something that Django should handle by default, or it's up to each application developer to take care of it. A quick and superficial search through the archives of django-developers didn't yield much on this topic, I only found one thread about this from way back in 2008, and as I skimmed through the thread, it doesn't seem the security aspects were considered: https://groups.google.com/d/topic/django-developers/WW28RIVyU3k/discussion Michal -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/20160421144157.GH1129%40koniiiik.org. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: Digital signature
