[SERVER-10898] Passwords should be canonicalized according to unicode canonicalization NFC Created: 25/Sep/13  Updated: 06/Dec/22  Resolved: 13/Apr/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Andy Schwerin Assignee: Backlog - Security Team
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-10897 User and role names should be canonic... Backlog
is related to SERVER-10896 Enforce prohibition of embedded NULLs... Closed
Assigned Teams:
Server Security
Participants:

 Description   

Similar to SERVER-10897, if drivers and the server don't engage in some canonicalization process for passwords, there is a strong risk for mismatches when the input device used by the end user produces a different encoding of a multi-code-point character, or a character that has multiple code point representations (a.k.a, greek capital omega and the Ohm symbol).



 Comments   
Comment by Andrew Morrow (Inactive) [ 13/Apr/18 ]

This issue was resolved while working on other facets of the SCRAM-SHA-256. We are using SASLPrep for passwords. No additional work is required, closing as 'gone away'.

Comment by David Golden [ 21/Feb/18 ]

As SCRAM specifies using SASLprep, which is normalization form NFKC, should this and SERVER-10897 be changed to NFKC instead?

Generated at Thu Feb 08 03:24:20 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.