{"id":4484,"date":"2017-04-06T19:19:36","date_gmt":"2017-04-06T19:19:36","guid":{"rendered":"https:\/\/really.zonky.org\/?p=4484"},"modified":"2017-04-10T19:44:59","modified_gmt":"2017-04-10T19:44:59","slug":"unicode-passwords","status":"publish","type":"post","link":"https:\/\/really.zonky.org\/?p=4484","title":{"rendered":"Unicode Passwords?"},"content":{"rendered":"

One of the possibilities when setting a password is to use non-ASCII characters, such as \u00a8\u00fe\u00a8 (that is a thorn). Well perhaps something a little more secure than just a single character.<\/p>\n

But just how sensible is it?<\/p>\n

The first thing to bear in mind is that you need to be able to enter the password\u00a0reliably<\/em> in all circumstances. A tale from the mists of time: I once set a\u00a0root<\/em> password on a Unix machine that included the \u00a8@\u00a8 character, which normally worked fine but failed on the system console because on that terminal the old<\/em> Unix tty was still active and \u00a8@\u00a8 would erase a line, making it impossible to enter the password.<\/p>\n

Fortunately I realised what the problem was before it became more than a little annoying.<\/p>\n

But the point still remains – if you cannot type a password, you cannot authenticate. So for passwords such as firmware passwords, system encryption passwords, or normal computer account passwords, a password containing Unicode characters is probably a very bad idea.<\/p>\n

But for when you have full control over your computer(s), such as for web account passwords, a password containing Unicode characters is worth considering.<\/p>\n

So how safe is a password containing a Unicode character anyway? Well, on my usual password cracking machine, john the ripper is unable to crack the password \u00a8\u00fe\u00a8 in approximately 24 hours. Of course that is a bit of a cheat as john the ripper does not by default check Unicode characters, and if it did it would be able to crack a one character password. But it would take\u00a0longer<\/em>; adding Unicode characters increases the space that john the ripper needs to search in order to find your password.<\/p>\n

And perhaps more importantly makes it less likely for a password guesser (Hydra<\/a> for example) to be successful.<\/p>\n

So if you normally use a password such as\u00a0thistlethinthorn<\/em>, changing it to\u00a0\u00feistle\u00fein\u00feorn<\/em> is worth considering. Or indeed changing the separator between words in a multiword password to a Unicode character:\u00a0thistle\u2620thin\u2620thorn<\/em>, or\u00a0red\u00a1whistle\u00a1wheel<\/em>.<\/p>\n

\"\"<\/p>\n","protected":false},"excerpt":{"rendered":"

One of the possibilities when setting a password is to use non-ASCII characters, such as \u00a8\u00fe\u00a8 (that is a thorn). Well perhaps something a little more secure than just a single character. But just how sensible is it? The first thing to bear in mind is that you need to be able to enter the […]<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_share_on_mastodon":"0"},"categories":[4,489],"tags":[1503,1388,862,1390],"class_list":["post-4484","post","type-post","status-publish","format-standard","hentry","category-it","category-security","tag-password","tag-thorn","tag-unicode","tag-th","category-4-id","category-489-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"share_on_mastodon":{"url":"","error":""},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p1f2KI-1ak","_links":{"self":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/4484","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4484"}],"version-history":[{"count":6,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/4484\/revisions"}],"predecessor-version":[{"id":4496,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/4484\/revisions\/4496"}],"wp:attachment":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4484"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4484"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4484"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}