How do you handle passwords for services when the user enters something that is best represented in Unicode or some other non-Latin character encoding?
Specifically, can you use a Cyrillic password as a password to Oracle? What do you do to verify a user's password against a Windows authentication mechanism if the password is provided as UTF-8?
I have some ideas on how this should be handled in our code, but I'm looking for advice from others to make sure our direction is sound.
The encoding itself should not pose a problem on the encryption, most algorithms operate on bytes, not on characters. The only thing that could be a problem is: Encrypting the same password with different encodings could yield different values if exotic (non-ASCII) characters are used in the password. Converting the password to a fixed encoding (like UTF8) should solve that problem, though.
You might have problems with the authentication mechanisms length restrictions.
e.g. If the system specifies a max length of 12 bytes, this could easily be exceeded by five chinese characters in utf-8, this is not a problem as such because four chinese characters should have enough entropy, but, you need to be careful about error messsages.
Other problems may arise if the authentication mechnism enforces rules like "at least one each of upper case, lower case, punctuation and numeric characters" - several languages have no upper/lower case characters, and there are dozens characters defined in unicode that a native speaker would think of as numbers but may not be recognised as such by a poorly implemented rule.