Author: Jeff Garzik 2014-07-15 15:53:36
Published on: 2014-07-15T15:53:36+00:00
The security UX testing shows that it is easier for some users to memorize and use longer passphrases, if they are permitted spaces. However, there is no information available regarding the use of tabs/NLs/FFs in phrases. Some systems convert \s+ into ' ' for password hashing purposes which might frustrate a security nerd or two. Control characters should be filtered, while whitespace can be problematic but should be allowed. The use of emoticons would require substandard approaches such as character blacklists which is not desirable. Jeff Garzik, a Bitcoin core developer and open source evangelist, recently added an implementation of BIP 38 (password protected private keys) to bitcoinj. He suggests removing test vector 3 as it does not represent any real-world usage of the spec. Given that "pile of poo" is not a character any sane user would put into a passphrase, he questions the value of this test vector. NFC form is intended to collapse things like umlaut control characters onto their prior code point, but here we're feeding the algorithm what is basically garbage so he's not totally surprised that different implementations appear to disagree on the outcome. If they desperately need to verify NFC normalization, he suggests using a different, more realistic test string, like Zürich, or something written in Thai.
Updated on: 2023-06-09T00:59:37.349485+00:00