Going "heck people who use other languages" is a very bad way to patch your crappy username security policies.
Just use friggin Unicode and do uniqueness checks on similar/identical characters
Or something like that. There's more than one way to season tofu.
There's a trend to use unique numbers/hex-codes instead of usernames for identification. This is a good trend IMO
Much more secure because hex sets don't have a lot of lookalikes, and you can allow diverse vanity names in non-security sensitive contexts
@tofusec Except people won't use the hex-based identifiers, and the machines are rarely* confused by the Unicode names that mess up humans, no?
* Okay, yes, Unicode canonicalization is a pain, but I'm not aware of it being the source of vulnerabilities very much?
@aschmitz No. The idea is you still have your normal vanity username. The hex code is used for sensitive things like logins, profile page URLs, etc.
@aschmitz You'd use a hex code for adding friends in IMs, for instance.
@tofusec Mm, but why not generate your own then? For example, Mastodon allows a username and a display name that are different, as do most services?
@aschmitz Yes, but the normal handle is still vulnerable to lookalike attacks unless you restrict a lot. At which point it may as well be a string of numbers
@aschmitz I mean Mastodon restricts the char set quite a bit. That works, I guess. I still like numbers better though.
@aschmitz Although I'm worried in the case of Mastodon that if some instance does a custom font, you're going to have issues with ls and Is etc
@aschmitz Restricting to numbers or hex codes is MUCH less complex and erases issues of cultural bias.
@tofusec Er? Assuming you're okay with making people memorize sequences of hex digits (eek?), it's not exactly as though [a-f] exist in the writing systems of a lot of languages? (Sure, Arabic numerals are pretty widespread, but rough to memorize, particularly if you have one for each service.)
@aschmitz You don't have to memorize it. It's synonymous to a username not a password. You can write it down or w/e.
@tofusec Sure, but if it's the way you propose to add other people, it's more convenient if you memorize your own. Admittedly people usually memorize their own phone numbers, though, so it's plausible. (Gotta add a namespace for domain/service/whatever, but that's probably not too hard.)
@aschmitz >start software
>software auto-authenticates with device key/login token/whatever
>Code displayed in prominent location in UI
This can be made easy
@aschmitz People don't seem to have a problem adding their friends via Snapchat QR or w/e. Viability of solutions vary a lot. To each their own I guess.
@tofusec Yes, but I assume not everyone wants to dig up their phone/computer and open an app every time they want to tell someone how to contact them online. (That is, this happens offline with some regularity, I assume.)
Anyway, I'm not saying it's intractable, I just don't know how much it gains. (In particular, for federated services, you're *mostly* sitting on top of lowercase-ascii-letters-and-numbers for domain names. Sure, punycode exists, but browsers won't render it on most TLDs.)