Or something like that. There's more than one way to season tofu.

There's a trend to use unique numbers/hex-codes instead of usernames for identification. This is a good trend IMO

Much more secure because hex sets don't have a lot of lookalikes, and you can allow diverse vanity names in non-security sensitive contexts

@tofusec Except people won't use the hex-based identifiers, and the machines are rarely* confused by the Unicode names that mess up humans, no?

* Okay, yes, Unicode canonicalization is a pain, but I'm not aware of it being the source of vulnerabilities very much?

@aschmitz No. The idea is you still have your normal vanity username. The hex code is used for sensitive things like logins, profile page URLs, etc.

@aschmitz You'd use a hex code for adding friends in IMs, for instance.

@tofusec Mm, but why not generate your own then? For example, Mastodon allows a username and a display name that are different, as do most services?

@aschmitz Yes, but the normal handle is still vulnerable to lookalike attacks unless you restrict a lot. At which point it may as well be a string of numbers

@aschmitz I mean Mastodon restricts the char set quite a bit. That works, I guess. I still like numbers better though.

@aschmitz Although I'm worried in the case of Mastodon that if some instance does a custom font, you're going to have issues with ls and Is etc

@aschmitz Restricting to numbers or hex codes is MUCH less complex and erases issues of cultural bias.

@tofusec Er? Assuming you're okay with making people memorize sequences of hex digits (eek?), it's not exactly as though [a-f] exist in the writing systems of a lot of languages? (Sure, Arabic numerals are pretty widespread, but rough to memorize, particularly if you have one for each service.)

@aschmitz You don't have to memorize it. It's synonymous to a username not a password. You can write it down or w/e.

@tofusec Sure, but if it's the way you propose to add other people, it's more convenient if you memorize your own. Admittedly people usually memorize their own phone numbers, though, so it's plausible. (Gotta add a namespace for domain/service/whatever, but that's probably not too hard.)

@aschmitz >start software

>software auto-authenticates with device key/login token/whatever

>Code displayed in prominent location in UI

This can be made easy

@tofusec Yes, but I assume not everyone wants to dig up their phone/computer and open an app every time they want to tell someone how to contact them online. (That is, this happens offline with some regularity, I assume.)

Anyway, I'm not saying it's intractable, I just don't know how much it gains. (In particular, for federated services, you're *mostly* sitting on top of lowercase-ascii-letters-and-numbers for domain names. Sure, punycode exists, but browsers won't render it on most TLDs.)

@aschmitz People don't seem to have a problem adding their friends via Snapchat QR or w/e. Viability of solutions vary a lot. To each their own I guess.

@aschmitz Although you raise a good point about hex, it'd make to just use Arabic nums, yes.

@tofusec Right, but I guess if you're concerned about that you can use a username that's just a string of numbers? Or are you saying homoglyphs are a problem there too? Restricting to ASCII sucks for a lot of reasons, but it's pretty simple and avoids a lot of those problems.

@aschmitz (0/4) Well hex codes is just like numbers except it can be ever shorter. Is 9ABC really harder to type than 1789?