using regex for password validation
Chris Angelico
rosuav at gmail.com
Wed Dec 23 18:29:30 EST 2020
On Thu, Dec 24, 2020 at 10:21 AM <2QdxY4RzWzUUiLuE at potatochowder.com> wrote:
> If you're going to wander out of ASCII, then don't forget to address
> Unicode confusables. Nothing is more embarrassing than scribbling your
> complicated password on a sticky note and then not being able to tell
> the o's from the ο's. ;-)
TBH I don't think that's really our consideration. My recommendation
is: First do a basic Unicode normalization (probably NFC, but there
are good arguments for NFD instead), then just use it as-is.
Everything else is the user's choice. And you shouldn't ever have to
worry about a maximum length; after any checks such as "both passwords
must be the same" (on account creation), the only thing you'll need to
do is encode it UTF-8 and hand it to bcrypt.
But by using simpler password requirements (an 11-character minimum is
good in 2020, but maybe in the future you might want to extend that to
12), you reduce the temptation to use confusable letters in it.
Context is everything.
ChrisA
More information about the Python-list
mailing list