[cryptography] Oddity in common bcrypt implementation
marsh at extendedsubset.com
Wed Jun 29 19:06:35 EDT 2011
fOn 06/29/2011 05:41 PM, Jeffrey Walton wrote:
> From my interop-ing experience with Windows, Linux, and Apple (plus
> their mobile devices), I found the best choice for password
> interoperability was UTF8, not UTF16.
I use UTF-8 whenever possible, too.
Just to be clear here, the native OS Win32 API that must be used in some
configurations accepts UTF-16LE passwords for authentication. That's not
Neither is it my choice what encoding the remote endpoint happens to be
using. It doesn't even tell me.
My code simply has to convert between them in the least-broken manner
The realities of crypto authentication protocol implementation mean I
can't log the decrypted password for debugging or ask the user about it
either. I actually added a heuristic that counts the number of "typical"
characters and logs a message to the effect of "hmm, looks like this
thing may not have decoded properly, maybe the shared secret isn't
correct". That little diagnostic has proven quite helpful at times.
More information about the cryptography