[RADIATOR] UNS: Re: Unicode in nthash passwords

Mon May 11 19:11:09 UTC 2026

HI all,

On 5/11/26 8:57 PM, Stefan Paetow via radiator wrote:
>>> The system that feeds our database with NT hashes certainly does not
>>> normalize to NFD (o_umlaut -> o + combining umlaut), as I have seen
>>> precomposed characters with umlauts. I am not sure if it normalizes to
>>> NFC or NFKC (o + combining umlaut -> o_umlaut), but I doubt it. In
>>> fairness, Windows's password routines don't seem to perform any
>>> normalization either.
>>
>> I think including normalization support is a good idea in general, but
>> "don't normalize and hope for the best" should be one of the options.
> 
> Sadly, Windows with its 30+ year history and questionable encoding practices from the 16/32-bit era (with code pages and the lot) will always carry a lot of cruft with it, and I think where possible, Windows relies on its default encoding for the likes of the Umlauts (ä, ë, ï, ö, ü etc) because they exist in the extended ASCII table. Same happens for the GBP Sterling symbol (£) which is character 156 in extended ASCII (on CP437), but 163 in Unicode, ISO-8859-[1/3/7/9] and Windows-125[2-8].
> 
> I know the Yen and the Euro have similar issues. Euro shows up as character 128 in Windows-1252, but in extended ASCII that's a capital C-cedilla (Ç). The Euro is replaced by another character on specific Windows code pages and doesn't exist at all in ISO-8859: https://www.ascii-code.com/CP1252/128
> 
> So I'm all for identity providers to specify which encoding should be used.

And we do , for all our 230+ IdPs. User may use Croatian character in 
password, but we do not guaranty that will work even if work today, may 
stop fork tomorrow.In last 23 years we have only two complain on 1M+ users.

Dubravko Penezic
Srce

> 
> :-)
> 
> Stefan Paetow
> Federated Roaming Technical Specialist
> eduroam(UK), Jisc
> 
> email/teams: stefan.paetow at jisc.ac.uk
> gpg: 0x3FCE5142
> 
> For eduroam support, please contact the eduroam team via help at jisc.ac.uk and mark it for eduroam’s attention.
> I am not available on Mondays and Fridays between 12:00 and 15:00 London time (UTC in winter, UTC+0100 in summer).
> 
> Note: I don’t expect a reply outside of your working hours, since I work internationally with colleagues in different nationalities with different religions, customs, and holidays. Reply when it is convenient for you.
> 
> Jisc is a registered charity (in England and Wales under charity number 1149740; in Scotland under charity number SC053607) and a company limited by guarantee registered in England under company number 05747339, VAT number GB 197 0632 86. Jisc's registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.
> 
> Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.
> 
> For more details on how Jisc handles your data see our privacy notice here: https://www.jisc.ac.uk/website/privacy-notice
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator