[phlo]

Let's start at the edgest of cases.

Some emoji, for example, are combinations of multiple other emoji, and a given combined emoji may not be uniquely represented by a sequence of codepoints. In the pathological case, this could mean that an OS update on the user's system changes the composition of the same emoji, which might make it impossible for them to input their password. It is probably prudent for a system to disallow emoji passwords.

One step away from Emoji, Unicode also allows for other m̸̱̜̅ͅȋ̴̩̠̀s̸̺͐c̶͈͇͉̐͛̚h̸̤̣̆i̴͍͍͒͌e̴̲̽̓f̸̞̽̊. Chances are, full-on Zalgo passwords can lead to problems. Again, there are probably prudent reasons to restrict some characters. On the other hand, those modifiers exist for a reason, and disallowing phrases in the user's native language doesn't make for great UX.

Towards the more common use of Unicode, there is a pretty good _practical_ reason to restrict the use of some non-ASCII characters: if your system accepts ç, ö and ø as characters in passwords, and non-technical users venture into a part of the world where the keyboard layout doesn't, your helpdesk is going to have to deal with the occasional annoyed customer. From a systems design perspective, those characters seem fine -- operationally, they may cause headaches.

Finally, we've arrived at printable ASCII characters. Restrictions on maximum length (usually 6 or 8 characters), and on certain characters (%, & or :) tend to be based on interactions with legacy systems (e.g. DES crypt() used to have an 8-character minimum), or on bad input handling. Either way, it's probably a bad sign.

[delecti]

> It is probably prudent for a system to disallow emoji passwords

In addition, not all keyboard environments are capable of inputting the same set of emoji. A coworker once got locked out of his macbook because the UX when changing the password when already logged in allowed inputting emoji, but the OS login screen did not (could be misremembering some specifics, but the broad point remains).

Which I suppose is really a subset of the sorts of issues around ç, ö and ø, but how it can happen even on the same system in different contexts.

[chrismorgan]

I don’t think it’s prudent for a system to disallow emoji passwords. Or to restrict various characters. I say: let the user do what they want to do; on their own heads be it if they do something that doesn’t work for them in all circumstances, and the end result is practically not much different from forgetting a password, which is normal.

In general, passwords are not treated as essential for access, and there will be recovery techniques, and the number of password resets or whatever required because they can’t type such-and-such a character any more or on this new device will be a minuscule fraction of the total. Resetting passwords and other forms of lost account access is typically not an exceptional path. From what I’ve seen, for business-to-customer businesses that don’t have some form of self-serve account recovery, “I’ve lost access to my account” will routinely be half your ticket volume.

In those fairly uncommon situations where passwords are essential for access (e.g. where it’s an encryption key), well, it’s still up to the user, and the user is somewhat more likely to be aware of any potential hazards in such fanciness.

Overall, I say: stop trying to be clever; accept what is set before you without asking questions on the grounds of compatibility. Let the user do what they try to do.

Maybe normalise Unicode; it’s a harmless thing to do and has the potential to improve compatibility slightly on very unusual input devices. (I don’t think I’d bother, myself.) But beyond that, I’m not sold on the arguments for restricting possibilities.

[phlo]

I see where you're coming from, and looking at the problem from a purely technical perspective, I agree with you. A password is just a string of codepoints. Accept what you get, yeet it into a password hashing function, and be done with it.

However, in my opinion, for real-world systems, you need to strike a balance between technical and operational, and user experience concerns. If restricting your password space to printable ASCII characters can meaningfully decrease the amount of the tickets that generate half of your ticket volume, you should give it some serious thought.

There are good arguments for both approaches, and the right way also depends on your user base. There was a story about WhatsApp a while ago, criticizing that WhatsApp would only notify users when their contacts' security code had changed, whereas Signal (and other secure messengers) would block and ask for confirmation first. Signal currently sits at 100M+ downloads in Play store, WhatsApp sits at 5B+. The numbers are very vague, but WA has 1-2 orders of magnitude more users than Signal.

In the WhatsApp example, a small change in the process can mean that good security becomes accessible to a pool of billions of users, vs. excellent security to millions. Restricting the password character set (to a sensible set of characters, and with a sensible length limit) comes with no security drawbacks, and good chances of some process/usability improvements. For a real-world deployment, I would argue it's very prudent.

[chrismorgan]

I expect the number of tickets induced by supporting Unicode to be a negligible fraction. (I offer no support for this expectation.) Depending on the type of service you’re running, you might even avoid a few tickets from people that might complain about the restrictions, though certainly most of the time people will just sigh and choose something else and not even think of contacting to complain.

No security drawback? You make it harder for people to use the password they want to use. There is a real cost to that, encouraging bad password hygiene. Provided you support at least printable ASCII it’s unlikely to be a significant cost, but it is a cost, and I remain entirely unconvinced of the practical benefits of the restriction.

[Bakary]

Reversing the argument a bit: what incentive does the dev have to not restrict characters and be done with it? It's basically getting rid of various problems at no cost. And the type of customer demographic annoyed by this will not only be tiny in number but will also probably be annoyed by other things as well anyway.

[faebi]

My favorite experience was with the backspace character. One of our cli tools accidentally saved them in a password store. The user can show his password but the console interpreted the backspace and therefore everything looked normal. That discovery was truly funny. Null byte characters create a funny user experience too. A user has an issue with an input, then I go and fix the problem by typing the same thing again and it works. These can end up in passwords too.