>In other testing, I found that Zoom has a maximum password length of 10 characters, and whilst it accepts non-ASCII characters (such as ü, €, á) it converts them all to ? after you save the password
Maximum password length of 10 chars, and auto-converting non-ASCII to '?' are both extremely egregious password practices.. Why does it not surprise me Zoom is doing both. I wonder it they also silently truncate passwords > 10 chars?
These are absolute basics. Let alone not rate limiting and the laundry list of other terrible (lack of) security practices.
They do silently truncate account passwords greater than 32 characters, but what's (arguably?) worse is they only do it in some places and not others.
I use 1Password and sometimes when it pastes in it works, sometimes the UI complains the password is longer than 32 characters.
I sent them a screen shot on Twitter [0] figuring their US support people would see it, but they didn't seem to care that much (got some generic response).
Entering Chinese characters requires using an input method engine that turns keyboard input into a list of candidate words from which the user picks the correct one. If you used that method to enter a password, shoulder surfing would be trivial. I think it's usually automatically disabled for password input fields.
Additionally, there are other methods like Zhuyin that some people (typically the older generation that used computers before contextual dropdowns) use. I believe those keys just map 1-1 with American keyboards so they would just type the keycodes for Chinese characters and ASCII is inputted into the password field, but correct me if I'm wrong.
Zhuyin is just another way to input Chinese phonetically, so it requires the same feedback mechanism to choose the correct character. You're probably thinking of Cangjie, which was designed to have a unique code for each character, so theoretically it doesn't require feedback but modern implementations seem to have it anyway.
Maximum password length of 10 chars, and auto-converting non-ASCII to '?' are both extremely egregious password practices.. Why does it not surprise me Zoom is doing both. I wonder it they also silently truncate passwords > 10 chars?
These are absolute basics. Let alone not rate limiting and the laundry list of other terrible (lack of) security practices.