non-ascii passwords and password rules?

763 views
Skip to first unread message

Dirk Pranke

unread,
Jun 23, 2010, 10:05:46 PM6/23/10
to chromium-dev
Hi all,

Can anyone answer the following questions for me? I have little
experience with non-English sites that involve user accounts and
passwords.

1) How common is it for users to use passwords that don't involve
ASCII characters (presumably this happens all the time on users with
non-ASCII keyboards)?

2) How do sites that are primarily in non-ASCII languages tend to
enforce password rules, if at all? I can imagine, for example, that
some languages are similar to common English rules (like 6 or more
characters, one upper case, and one non-alphabetic character) while
others (e.g., Chinese) have very different rules. Can anyone give me
some examples of what rules might be?

The context is that I'm considering what it would take to be able to
specify a microformat for generating (or validating) passwords. You
can probably do this with a set of regular expressions (a single regex
isn't really sufficient, because regexes are really awkward at
specifying AND rules like "one letter AND one digit"), but regexes are
awkward over the full unicode space, and I'm not sure if there are
particularly comprehensible character classes that fit everywhere ...
of course, there may not be any better alternatives to character
classes, either.

-- Dirk

Peter Kasting

unread,
Jun 24, 2010, 1:19:30 AM6/24/10
to dpr...@google.com, chromium-dev
On Wed, Jun 23, 2010 at 7:05 PM, Dirk Pranke <dpr...@chromium.org> wrote:
The context is that I'm considering what it would take to be able to
specify a microformat for generating (or validating) passwords. You
can probably do this with a set of regular expressions (a single regex
isn't really sufficient, because regexes are really awkward at
specifying AND rules like "one letter AND one digit"), but regexes are
awkward over the full unicode space, and I'm not sure if there are
particularly comprehensible character classes that fit everywhere ...
of course, there may not be any better alternatives to character
classes, either.

You may want to ask on a list like whatwg; this seems like the sort of topic I've seen covered there.

PK 

Yuta Kitamura

unread,
Jun 24, 2010, 1:51:51 AM6/24/10
to dpr...@google.com, chromium-dev
In terms of Japanese, it is not common to set a password consisting of Japanese characters because you need to use IME (input method editor) to input Japanese characters. IME displays candidate words while inputting, which makes shoulder surfing easier. I guess Chinese and Korean are similar to Japanese in this respect.

Basically it's not a good idea to generate a random password over all Japanese characters, because there are many uncommon characters which are hard to input via IME. Such password is hard to input and also hard to remember. 

Thanks,
Yuta


--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
   http://groups.google.com/a/chromium.org/group/chromium-dev

Anton Vayvod

unread,
Jun 24, 2010, 5:28:27 AM6/24/10
to dpr...@chromium.org, chromium-dev
FYI, Gmail does support password which consist only of A-Za-z0-9 and small number of special characters (if you try enter password with other symbols Gmail will kindly notify you about it - on sign up page). I believe so do many other services.
Maybe you don't need non-ASCII passwords at all then.

TAMURA, Kent

unread,
Jun 24, 2010, 8:09:49 AM6/24/10
to dpr...@google.com, chromium-dev
Chromium/Windows and Safari/Windows disable IME for <input type=password>.
Users can't input characters which need IME.
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
   http://groups.google.com/a/chromium.org/group/chromium-dev



--
TAMURA Kent
Software Engineer, Google



Dirk Pranke

unread,
Jun 24, 2010, 7:18:06 PM6/24/10
to TAMURA, Kent, chromium-dev
Anyone in the St. Petersburg office care to share any feedback on
sites in Cyrillic alphabets / languages?

-- Dirk

Vitaly Repeshko

unread,
Jun 25, 2010, 6:14:03 PM6/25/10
to dpr...@google.com, TAMURA, Kent, chromium-dev
On Fri, Jun 25, 2010 at 3:18 AM, Dirk Pranke <dpr...@google.com> wrote:
> Anyone in the St. Petersburg office care to share any feedback on
> sites in Cyrillic alphabets / languages?

I think most of users in Russia are trained to use ascii passwords.
Usually that's because logins are required to be ascii. Sometimes when
people really want Cyrillic they just type it keeping English layouts
on their keyboards. This way it looks like a pretty random ascii
string and is easy to remember (and also easy to crack).


-- Vitaly

Reply all
Reply to author
Forward
0 new messages