Character encoding issues for web passwords

Password authentication remains ubiquitous on the web, primarily because of its low cost and compatibility with any device which allows a user to input text. Yet text is not universal. Computers must use a character encoding system to convert human-comprehensible writing into bits. We examine for the first time the lingering effects of character encoding on the password ecosystem. We report a number of bugs at large websites which reveal that non-ASCII passwords are often poorly supported, even by websites otherwise correctly supporting the recommended Unicode/UTF-8 character encoding system. We also study user behaviour through several leaked data sets of passwords chosen by English, Chinese, Hebrew and Spanish speakers as case studies. Our findings suggest that most users still actively avoid using characters outside of the original ASCII character set even when allowed to. Coping strategies include transliterating non-ASCII passwords using ASCII, changing keyboard mappings to produce nonsense ASCII passwords, and using passwords consisting entirely of numbers or of a geometric pattern on the keyboard. These last two strategies may reduce resistance to guessing attacks for passwords chosen by non-English speakers.