Re: Guile Hacker Handbook - Character sets

[John Cowan]

On Thu, Feb 18, 2021 at 6:17 PM divoplade <d@divoplade.fr> wrote:


> Fortunately, there are very few international problems that need to
> look at individual characters of a string. Your password rules example
> is arguably one of them, although it may make non-latin users angry
> (this upper case / lower case distinction does not work in chinese, as
> far as I know).


The 2017 (U.S.) NIST password guidelines no longer limit what characters
can appear in a password: in particular, spaces, Chinese characters, and
emoji are fine.  Here is the complete list of guidelines, which are binding
on the U.S. government but recommended for everyone:

1) Passwords must be 8 characters or more but not more than 64 characters,
and must be hashed and salted before being stored.  Password length is the
primary defense against password cracking.  (Note that a password assigned
by the system such as a PIN may have as few as 6 digits.)

2) All Unicode characters should be allowed unless they are forbidden by
the underlying system.  Runs of repeated or consecutive characters,
however, are not allowed.

3) Pasting text should be allowed wherever possible, so as to encourage the
use of password managers.

4) Password hints are not allowed.  They weaken security.

5) Enforcing periodic password changes is not allowed.  They decrease
usability and encourage users to use the same or similar passwords, which
causes the increased security to be negligible.

6) Enforcing password complexity requirements like the use of lower case,
upper case, digits, etc. is not allowed.  The security they add is
negligible.

7) Passwords must be screened against a list of commonly used passwords,
known compromised passwords, and dictionary words, as password cracking
programs will usually try such passwords first.



John Cowan          http://vrici.lojban.org/~cowan        cowan@ccil.org
Work hard / play hard,                                      cowan@ccil.org
die young / rot quickly.