Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Unicode normalize passwords #3306

Closed
NotAFile opened this issue May 30, 2018 · 1 comment
Closed

Unicode normalize passwords #3306

NotAFile opened this issue May 30, 2018 · 1 comment
Labels
z-minor (Deprecated Label) z-p2 (Deprecated Label)

Comments

@NotAFile
Copy link
Contributor

NotAFile commented May 30, 2018
edited
Loading

(as discussed in #synapse-dev)

The code currently does no normalization of any kind on the password before hashing. This is problematic™ because with Unicode, multiple representations can exist for a single character. This would mean that depending on how exactly the users system does text entry, the same password entered on a different system, or version of that system, might have a different hash.

The solution to this is normalization. Apparently, according to other people, NFKD or NFKC is what you want here.

Problems:

  • Unless something like versioning or fallback is done, normalization will break many peoples password

Advantages:

  • If normalization is done, peoples passwords won't break the next time someone decides to change their Unicode input code a bit.
@neilisfragile neilisfragile added z-p2 (Deprecated Label) z-minor (Deprecated Label) labels Jun 4, 2018
@hawkowl hawkowl mentioned this issue Jul 20, 2018
Merged
@hawkowl
Copy link
Contributor

hawkowl commented Sep 14, 2018

We now normalise with NFKC. We don't do any versioning or fallback, assuming mostly that people's passwords were inconsistently broken before, and now they're at least broken consistently.

@hawkowl hawkowl closed this as completed Sep 14, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
z-minor (Deprecated Label) z-p2 (Deprecated Label)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@neilisfragile @hawkowl @NotAFile