Security expert reveals surprising way to make your password stronger: use emojis

Emojis are known to break systems in certain circumstances due to the way they're interpreted in certain character sets.

I guarantee people doing this will not only lock out their own accounts, but may even freeze some authentication servers.

https://www.pcmag.com/news/want-to-brick-an-iphone-send-some-emojis

https://www.itechpost.com/articles/75762/20170119/brick-iphone-using-emojis-plus-tricks-dont-know.htm

💯🐴🔋(umm, staple)

Good luck logging in a Smart TV.

Terrible idea, good luck logging in on desktop.

Security expert reveals surprising way to induce headaches

No. There's only one piece of advice that should be given to users in 2023 about how to make their passwords stronger:

Use a password manager

Just use 32 character random alphanumeric passwords that are unique for each site (you can do more like 12-16 characters if you'll ever need to enter manually).

This is it. Stop trying to create clever passwords that you can remember. You aren't as uniquely creative as you think and there's been bodies of research into how the various things people do to create passwords that look secure can reduce the generation space so much that they become considerably easier to crack with an intelligent algorithm.

Test your ability to be unpredictable

xkcd still has the best approach to this; four random common words

Oh for fuck's sake, just turn on 2FA

Until you get to a prompt that doesn't support unicode.

Just use a password manager, goddamn.

I'd rather staple my forehead to a telephone pole before I ever think about using an emoji in a password. Those things are abominations!

Sounds great where it works but I'm sure most systems would reject an emoji or make you type out some overly complex password in addition to your emoji.

What's up with all the hate for emojis lmao

...no

Completely useless from many sources where I have to rely on a keyboard for entering passwords.

As a software developer who has worked with a lot of symbols and emoji... PLEASE DON'T DO THIS.

Software doesn't all handle these symbols the same way, and without tech knowledge (or even with) , it's very possible to not be able to log in easily. I'm kinda drunk rn, but I'll try to explain as simply as I can...

For example... skintone emojis are actually two characters, a face and a skin tone modifier. I think those ones are always two characters but some of these "multi-char" characters can be normalized into a single character. But not everyone handles this the same way. For example, Safari might normalize the emoji, but Firefox might treat it as two separate characters... And this would probably make your password not match. But basically... text has lots of edge cases; I'd advise to use normal passwords please (also maybe a password manager)

Can you write any unicode cahracter? Gotta make passwords in cuneiform

I disagree with them.

1. Emojis do not look the same on all platforms. Let's take white large square ⬜ for example. Emojipedia shows what that emoji looks like on 26 different vendors. Some are pure white, some are shades are grey, and then there's Microsoft who in its usual infinite wisdom decided it should be purple. large yellow square 🟨 is a tossup between actually yellow and orange. This issue is also exacerbated with different displays displaying colours differently. Factors such as color accuracy, viewing angle, brightness affect how you perceive colour.
   

This also extends to face emojis. grinning face with big eyes (Emojipedia link) isn't that easy to tell apart from grinning eyes (Emojipedia link)

2. Emoji support depends on your device. I'm on Windows 11 22H2 which recently added support for shaking face 🫨. Problem is, Windows' emoji picker Win + . (period) doesn't have it. Trying to login on a friends phone that's still on iOS 15 or Android 12, before shaking face came out? Enjoy manually copy/pasting the emoji from Emojipedia.

correct horse battery staple on the other hand looks the same on all devices.

Just use longer passwords?

Last week or two I've been learning more about passkeys, and it makes threads like this seem ridiculously out of date. Given the choice between emojis and passwords and hard crypto, I'll take the crypto.

Long time ago a friend of mine used a set of key press to generate a smiley face to put in his bios which ended up in a situation where he was not able to type in the same smiley face into the password prompt. I had to teach him to reset his bios battery to get back into the bios.

Grab a sentence you know well.

Pick just the first letter of each word.

It will look like it's random - for example "I like my lemmy only with beans and bacon" becomes "ilmlowbab" - and it comes from a far vaster possibility space (ever possible sentence and it need not even make sense) than that of "words in the English language and derived words" so it's a lot harder to try to crack with a dictionary attack.

Also it works in everything that takes ASCII charactes (i.e. everything but numeric only pin codes).

this feeeels like the stupidest idea ive ever heard.. its not like theres really an emojii standard applied as universally as text, across devices or applications... the transforms that happen... this seems fraught with terribleness

am i missing something?

I wonder how often curse words or obscure slang are included in dictionary attacks.

Anyone who takes any kind of advice from the fucking New York Post deserves what they get.

am already use:

._.

Permanently Deleted

For petty services where you don't want to have to break out the password manager, try making your own mental salted hash.

Pick four long words at random. Assign each of these to the four quadrants of the alphabet.

A-F - Equipment

G-M - Triumphant

N-S - Sampling

U-Z - Fatigued

Pick one number:

4

Now, take the first letter of the service that the password is for, and that selects your quadrant word. Take the number of letters in the service and multiply it against your number. Take the last letter of the service, and on your querty keyboard, move all the way to the right of thst line to select the first symbol there. Thats your unique password thats salted with yo ur personal words and number.

Facebook = Equipment32:

Lemmy = Triumphant20{

Pizza Hut = Sampling36{

If you want more security for these petty services, use longer words, bigger number, or use some other metric, Tweak the algorithm to make it unique to you. Maybe capitalize a middle letter in your salt word based on the length of the service name. Maybe add the first letter of the colour of the service logo to the password, EG

Facebook = Equipment32:B

Lemmy = Triumphant20{T

Pizza Hut = Sampling36{R

Petty services I would consider to be anything that's not super critical, and is at a higher likelyhood of breaching my shit.

For banks, primary emails, or government services, use a more complex algorithm or a random string of chars from your password manager.

Havent read the article yet but If you have to manually input just stick to 6 or more randomly generated words (different languages if you would like to). A keyboard won't always have options for emojis. Your password manager's autofill/autotype everywhere else and 2fa where you can thats it dont overcomplicate things thats a good way to screw yourself over

Meanwhile, Android not even wanting to accept accent is painfull.

Grab a sentence you know well.

Pick just the first letter of each word.

It will look like it's random - for example "I like my lemmy only with beans and bacon" becomes "ilmlowbab" - and it comes from a far vaster possibility space (ever possible sentence and it need not even make sense) than that of "words in the English language and derived words" so it's a lot harder to try to crack with a dictionary attack.

Also it works in everything that takes ASCII charactes (i.e. everything but numeric only pin codes).

That’s the worst idea i have ever heard