Security expert reveals surprising way to make your password stronger: use emojis

The website should feed your password straight into a well known hashing algorithm or key derivation function that has undergone a decade or more of careful scrutiny, without any other processing. The output will usually be a fixed length base64 or hex string.

There's a short list of about three options that are currently considered acceptable, and a few more are probably fine but are a little too easy to crack these days (e.g. anything that shares the same math as bitcoin... what if someone throws a mining datacentre at your password?)

If the site breaks, maybe you don't to be a customer of that service.

auth servers breaking from emojis would be hilarious, pretty sure that's why older auth servers only allow certain symbols in passwords

If some auth server breaks because I put emojis in my password then that's right and deserved

Sounds like a crappy implementation of the authentication server then, and the sysadmin deserves a paddlin' for not stripping non-UTF characters (or making sure they work).

My problem with using emojis as part of the password would rather be that while I might be able to enter them on my personal Android phone using the exact keyboard app I have installed right now, I might find myself struggling on a desktop computer or any other phone that doesn't have this exact keyboard installed. After all, the graphical representation of the same emoji might look different there, and there is a chance I couldn't even recognize it.

So if anything, I'd say use a non-UTF keyboard like Thai or Chinese, but then a standard character in that specific type. Keyboards layout can be installed across devices and are fully standardized, even if the same character looks slightly different.

OTOH, there is only one character set that matters, and any system using a different one is, by that fact alone, broken.

and there are many trash implementations that dont recognise something like :emoticon: as shortcut and turn it into emoji, no no you have to use emoji keyboard to type them

That only applies to iphones that came out 2016 or earlier and we're never updated right?

Correct horse battery staple!

Jeez, you're right. We got pens, pencils, stock charts, even those folders with the colored label tabs, but no stapler, the most basic of office equipment.

Security Experts probably don't log into smart tvs all that often. Just a guess.

Logging in a smart tv? Lol!

All the apps I've used recently use QR codes (or similar measures, like a sync code) that has you log in from the phone, so it should work anyway!

Scan the QR code and log in on your phone. Oooh scary

You know there's someone somewhere who would answer you with, "what's a desktop?"

Wait, you can't type emoji on your desktop? I feel sorry for you. 🥺

For Windows 10/11, its win+; to open the emote window.

Under Windows press Win+.

Security experts don't actually have to work on corporate IT systems.

So you've set your password to contain a 😇 have you?
Ok so how are you going to type it on this desktop computer keyboard here…
Yeah I thought not.

I'll just go reset your password shall I?

I got it to a stable 54% by using an

and a stable 56% by just typing randomly and adjusting my patterns based on the colored output, which might have skewed my results. Certainly a very cool tool, I also liked the explanation linked on the page!

How many websites/services don't support such lengthy passwords these days?

I like doing entire phrases with some rhymes thrown in. Makes it easier to remember them.

"BonyTonyMoansHe'sOnlyGrownLonely" has a shitload of characters, and a full sentence (even a nonsensical one like that) is more memorable to me than a random handful of disparate words.

The more ridiculous, the better. (And, naturally, don't forget your numbers and symbols)

EDIT: Actually, no idea why I made it all one group of words. So long as spaces are in the password's character space (and they very well should be if friggin' emojis are), there's nothing stopping you from doing an entire, punctuated sentence- other than that we've been conditioned not to think of a password that way.

"Skinny Kenny's friend, Mini Ben, has 20 chins." That should be a fully-acceptable password with 46 characters (48 if you add the quotes), capital letters, numbers, and special characters.

I love it, Bitwarden has supported generating passphrase style passwords for a while and it's basically that. It's my go-to these days.

Four words is too low these days to protect against gpu bruteforcing

Just be sure to throw in symbols and numbers to beef it up. Dictionary words are easier to brute force.

I prefer picking a sentence or so that has meaning to me, using the first letters, and then adjusting for numbers/symbols. So if I wanted to make that a pw, it'd be 1ppa505thm2m,utfl,atafn/5. -looks completely unintelligible, but as long as you can remember the sentence and have some ideas of how you would have encoded it, easy enough to remember/recreate.

Password database

But only save emojis in it lol

Two of my colleagues still use locally stored plaintext for individual work credentials, despite having been shown where the password manager is. Both have accessed their files in front of me. If it's not in those files it's saved in the browser (because convenience is a hell of a drug). Now you start to see why discrete managers have a hard time, even amongst technology workers.

Out of curiosity, what makes you say so?

Edit: Oh. Did a "Wooosh" happen to me right now? Are you being ironic and referring to the XKCD thing about how to make a secure password using words in phrases?

👆

Honestly you'd be surprised how many places it just works magically. I was surprised to find that Office365 users could use emojis in names for Microsoft Teams which had no problem syncing those accounts back to an on-prem Active Directory. You can use emojis to name a whole SQL database, let alone users/passwords on it.

I keep wondering if I need to figure out how to turn that off but it hasn't caused any problems. It's definitely sketchy looking though when you see a bunch of normal usernames and then suddenly one is just ten snowman emojis in a row.

It's all just Unicode so in theory a password system shouldn't think that emoji or any more interesting than any other character. To a computer the letter B and the emoji ✈️ equivalent in that they're both just normal characters that one can type.

Sort of, emoji are usually treated as two or more normal characters so ✈️ might be equivalent to BB. But the basic point is the same.

It should work reasonably well in password systems that hash the password from a UTF-8 encoding... Which should be most things really. If the system is trying to process everything with ASCII, maybe not. It might even appear to work but get converted to some other character (which is kind of the worst case)... That should be rare in web applications though

💀💀💀💀💀💀💀🗿🗿🗿🗿🗿🗿🗿🚣👍👍👍👍👍👍🔥🔥🔥🔥🔥🔥🔥 sigma

the emojis and text above are a part of the reason

People who use them tend to spam the hell out of them. Like, 8 of the same emoji. And they use them every other sentence. It's obnoxious, you only need one or two to get the point across.

Back in my day we only had 95 printable characters, and that's the way we liked it! /s

Antisocial people.

It was the same on Reddit. All of the people who despised emojis were often posting in really cringe and incel related subs.

My use of emojis sky rocketed after I started dating. They are fun and convey emotion really well.

They didn't exist yet when I was an early teenager, all we had were emoticons that might be replaced by images by the forum software, so of course I think they're stupid /s

Without sarcasm, it is a good thing we have standardized symbols now and don't have to implement emoticon replacement into forum or chat or social media software. If only because half of such implementations replaced any occurrence of the number 8 followed by a closing parenthesis with 😎 even when that wasn't the intended meaning (one can think of many other times one would end a parenthetical statement with the number 8).

Most modern OSes feature emoji pickers though

(👁 ͜ʖ👁) 𓂺

-The most secure password

Wingdings for life baby!

Was gonna say... you're relying on the consistency of external emoji handlers that you don't control. Ascii emojis are one thing.

Thanks for the feedback! I'll be sure to use non-printing characters instead of emojis for my passwords! (They can't guess it if it's invisible right?)

In all seriousness, why are people so adverse to using password managers? People are plenty willing to use the browsers built-in "remind my password" instead of a proper password solution such as bitwarden... And they come up with such "hacks" just to avoid using a proper length password.

What's do you think is a good length? I think it has to be at least 10 but over 15 is much better.

I'm not sure what the passkey advantage over long unique password in a password database is.

Well, KeepAssXC just got passkey support so I guess it doesn't matter much

What's crypto?

You're a good friend

Emojis are standardized exactly the same way as text is, both are defined by the unicode standard. They might not be rendered uniformly, the same way that text rendering depends on the font.

If this isn't satire, that's literally what Unicode and UTF-8 are

I thought Emojis were a set standard but how they're rendered can change. So whatever it is that identifies the heart emoji is universal but iPhone, Samsung, Google, etc might render that heart differently.

Although I agree it is risky, emoji are unicode characters, just like any other unicode character. If, and that's a big if, the programmers do their job right, it shouldn't matter if you use an emoji or a random kanji. It's all just another character. That said, I don't trust programmers enough to run the risk. Your password might work fine on the website but then fail on the mobile app.

Someone else said "good luck on the desktop", but Windows actually has an emoji picker built right in. Win+. will bring it up. Another fun fact, usernames and computer names both support the full unicode set on Windows, including emoji. Some fun can be had with that knowledge. I haven't tried it on Linux or MacOS yet.

Yes there is, . I would say most modern devices/systems utilize it too. The reason they may look different from device to device is because the presentation style can be modified by vendors, somewhat similar to using different fonts to make letters look styled.

A nice system

What about non English words, or slang? That would be interesting information to have.

Classic old school manual emojis.

Emoticons for you kids.

Okay now's my time to shine. The words "emoji" and "emoticon" are false cognates, as in they aren't actually related. Emoticon is a few-decade old word to describe emotion+icon, like :)

Emoji is Japanese (kanji - 絵文字) for picture-word, basically. It super outdates computers.

They just happen to sound similar; isn't that fun?

Do you have trouble on physical keyboards?

Or https://en.m.wikipedia.org/wiki/Zero-width_space ? But seriously, just use unique random strings likely through a password manager.

Just come up with one strong password (see https://xkcd.com/936/) for your password manager and use randomly generated passwords for everything else. There's no reason to manually compute a hash every time you sign up for a service.

too short, for all that effort just use a sentence with a symbol and a number.

FacebookCanGoToHell!123 is more secure and easy to remember