Account Problems
My password is just every Unicode codepoint concatenated into a single UTF-8 string.
My password is just every Unicode codepoint concatenated into a single UTF-8 string.
Cueball asks Ponytail to help him because he can't log in to his account. Having attempted to fix Cueball's tech issues in the past, Ponytail replies with dread. Cueball promises that "It's a normal problem this time", and Ponytail agrees to look at it. But then Cueball reveals that he has included a null string terminator character in his password when creating an account and now he can't log in.
In computer systems, every "character" (letter, digit, punctuation, etc.) is represented as an integer. For example the lowercase letter 'a' is represented as the number 97, and the digit '1' is represented as the number 49 (when using the ASCII character encoding or Unicode character encoding). A "string" refers to a sequence of characters, and can be used to store arbitrary text (for example names, messages, passwords). Strings can be arbitrarily long, so some mechanism must be used to record their length. One approach is to store the length explicitly (Pascal string). Another approach is to mark the end of the string using a specific character, usually the null character (which is represented as the number 0); such strings are called null-terminated strings, and are used by the C programming language. Both approaches have advantages and disadvantages. A limitation of null-terminated strings is that they cannot be used to represent text containing embedded null characters. This is usually not a problem, because normal text never contains null characters. However, if somehow a null character were to end up in the string, it would cause problems: any code that uses that string would assume this null character marks the end of the string, so the string would effectively be cut off.
Account registration systems often place requirements on passwords in an attempt to encourage users to pick stronger passwords. For example, they might ask that the password include at least one "special character" (such as
!@#$%^&*). Cueball misunderstood this requirement as referring to characters such as the null character (which is more accurately referred to as a control character). Cueball managed to type the null character as part of his password somehow (on some systems it is possible to type the null character using certain keyboard shortcuts such asCtrl+Space,Ctrl+@,Ctrl+2, orAlt+0using the number pad), but the software running the registration system was poorly written and could not cope with this – it allowed him to create an account with that password, but then when he tried to log in with the same password the system didn't accept it.It's unclear how that particular situation might arise in real software, but here is a similar situation that can easily happen in practice: Suppose a website's registration form allows the user's new password to have up to 20 characters, but due to a programmer error the login page only accepts passwords with up to 18 characters. If the user picks a medium-length password (say with 12 characters), all is well. But if the user picks a password with 20 characters, they will find themselves in the same position as Cueball, being able to register but not able to log in. Some additional situations are described below.
The title text describes a password which is "just" every Unicode character concatenated into a single string. Unicode is a standard for representing characters from many writing systems, and it has 149,186 characters as at the time of this comic (with new characters being added over time). A password consisting of all of those characters would be extremely long; it would be impractical to type by hand, and would be too long for pretty much all account registration systems. (A "codepoint" is the number assigned to a character, and UTF-8 is a common encoding system for representing each Unicode codepoint as a sequence of bytes.) Also, since Unicode includes the null character, the password would have the same issue as Cueball's password. Further, if the account registration system treats the null character as a string terminator (as in C), then the password would be equivalent to an empty password (assuming it contains the Unicode codepoints in order, starting with the null character).