Going "heck people who use other languages" is a very bad way to patch your crappy username security policies.
Just use friggin Unicode and do uniqueness checks on similar/identical characters
Or something like that. There's more than one way to season tofu.
There's a trend to use unique numbers/hex-codes instead of usernames for identification. This is a good trend IMO
Much more secure because hex sets don't have a lot of lookalikes, and you can allow diverse vanity names in non-security sensitive contexts
@tofusec Except people won't use the hex-based identifiers, and the machines are rarely* confused by the Unicode names that mess up humans, no?
* Okay, yes, Unicode canonicalization is a pain, but I'm not aware of it being the source of vulnerabilities very much?
@aschmitz No. The idea is you still have your normal vanity username. The hex code is used for sensitive things like logins, profile page URLs, etc.
@aschmitz You'd use a hex code for adding friends in IMs, for instance.
@tofusec Mm, but why not generate your own then? For example, Mastodon allows a username and a display name that are different, as do most services?
@aschmitz Yes, but the normal handle is still vulnerable to lookalike attacks unless you restrict a lot. At which point it may as well be a string of numbers
@tofusec Right, but I guess if you're concerned about that you can use a username that's just a string of numbers? Or are you saying homoglyphs are a problem there too? Restricting to ASCII sucks for a lot of reasons, but it's pretty simple and avoids a lot of those problems.
@aschmitz (0/4) Well hex codes is just like numbers except it can be ever shorter. Is 9ABC really harder to type than 1789?
