This is a very good article, but one thing I'd like to point out is that if you're allowing Unicode passphrases (which in itself is a good idea), you definitely need to normalize them (to any form you wish, as long as it's consistent) before hashing them. Otherwise, you risk ending up with different hashes that don't match just because the Unicode representation of the password is different.
This is a very good article, but one thing I'd like to point out is that if you're allowing Unicode passphrases (which in itself is a good idea), you definitely need to normalize them (to any form you wish, as long as it's consistent) before hashing them. Otherwise, you risk ending up with different hashes that don't match just because the Unicode representation of the password is different.
I wrote an article about the need for Unicode normalization a few months ago: withblue.ink/2019/03/11/why-you-ne...