On Thu, 26 Sep 2024 10:47:37 +1200, Peter Reutemann quoted:
4. Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
The original document <https://pages.nist.gov/800-63-4/sp800-63b.html#password> clarifies this a bit more: If Unicode characters are accepted in passwords, the verifier SHOULD apply the normalization process for stabilized strings using either the NFKC or NFKD normalization defined in Sec. 12.1 of Unicode Normalization Forms [UAX15]. This process is applied before hashing the byte string that represents the password. Subscribers choosing passwords that contain Unicode characters SHOULD be advised that some endpoints may represent some characters differently, which would affect their ability to authenticate successfully. In other words, maybe stay away from those Zalgo-text passwords ...
8. Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
I didn’t see any recommendation for what else to do if the user forgets their password.
9. Verifiers SHALL verify the entire submitted password (i.e., not truncate it).'
You’d think this would go without saying ... apparently not.