Sounds great where it works but I’m sure most systems would reject an emoji or make you type out some overly complex password in addition to your emoji.
Honestly you’d be surprised how many places it just works magically. I was surprised to find that Office365 users could use emojis in names for Microsoft Teams which had no problem syncing those accounts back to an on-prem Active Directory. You can use emojis to name a whole SQL database, let alone users/passwords on it.
I keep wondering if I need to figure out how to turn that off but it hasn’t caused any problems. It’s definitely sketchy looking though when you see a bunch of normal usernames and then suddenly one is just ten snowman emojis in a row.
Emojis are just a string of special characters that get recognised and replaced by an image anyway. It is the same as using those special characters separately.
It’s all just Unicode so in theory a password system shouldn’t think that emoji or any more interesting than any other character. To a computer the letter B and the emoji ✈️ equivalent in that they’re both just normal characters that one can type.
Sort of, emoji are usually treated as two or more normal characters so ✈️ might be equivalent to BB. But the basic point is the same.
It should work reasonably well in password systems that hash the password from a UTF-8 encoding… Which should be most things really. If the system is trying to process everything with ASCII, maybe not. It might even appear to work but get converted to some other character (which is kind of the worst case)… That should be rare in web applications though
For petty services where you don’t want to have to break out the password manager, try making your own mental salted hash.
Pick four long words at random. Assign each of these to the four quadrants of the alphabet.
A-F - Equipment
G-M - Triumphant
N-S - Sampling
U-Z - Fatigued
Pick one number:
4
Now, take the first letter of the service that the password is for, and that selects your quadrant word. Take the number of letters in the service and multiply it against your number. Take the last letter of the service, and on your querty keyboard, move all the way to the right of thst line to select the first symbol there. Thats your unique password thats salted with yo ur personal words and number.
Facebook = Equipment32:
Lemmy = Triumphant20{
Pizza Hut = Sampling36{
If you want more security for these petty services, use longer words, bigger number, or use some other metric, Tweak the algorithm to make it unique to you. Maybe capitalize a middle letter in your salt word based on the length of the service name. Maybe add the first letter of the colour of the service logo to the password, EG
Facebook = Equipment32:B
Lemmy = Triumphant20{T
Pizza Hut = Sampling36{R
Petty services I would consider to be anything that’s not super critical, and is at a higher likelyhood of breaching my shit.
For banks, primary emails, or government services, use a more complex algorithm or a random string of chars from your password manager.
too short, for all that effort just use a sentence with a symbol and a number.
FacebookCanGoToHell!123 is more secure and easy to remember
Youre going to memorize a unique sentence for each service?
A method like this allows you to memorize only 4 words of arbitrary length, a number, and a simple algorthm to yield unique passwords for each service.
Also you can’t really “forget” a password, because it’s connected to the name of the site. Very clever
You can also add a standard phrase to all of them that is shared between them all just to make them more complex
Equipment32:thisismypassword
yes, it is what I do now. there was a time when people memorized 10, 15 phone numbers.
Yeah putting the name of the service in the passphrase is actually pretty secure, unless the rest of the password is like “thisisapasswordforFACEBOOK” cause then one password gets leaked and the rest can be inferred.
The problem with using hash schemes like this is that when your password is leaked you can’t easily rotate the password.
This is what got me using a password manager. I didn’t want to trust a password manager because it felt like they would be highly targeted and one vulnerability would reveal everything. And let’s be honest they still are the same.
So I had my own scheme for generating passwords. I made myself a script that I could use on my phone and PC. It worked beautifully and effortlessly until occasionally a service would force me to choose a new password. When this started happening I made a new scheme for generating passwords and made a new script. When it first happened it was still reasonably easy because there was only one service I had to use the alternative. It started to become more difficult the more services asked for a new password.
I used my own system for several years until I had enough with trying to remember which services used the alternative scheme and wondered when I’d have to make a third scheme. And if I did then the mental complexity would significantly increase.
Interestingly only a couple of services publicly announced they had been hacked and none of my passwords have ever appeared on haveibeenpwned. So I wonder why these services asked for a new password and if they had been attacked why they chose not to announce it.
Not to mention if you suddenly developed amnesia or dementia
Just come up with one strong password (see https://xkcd.com/936/) for your password manager and use randomly generated passwords for everything else. There’s no reason to manually compute a hash every time you sign up for a service.
Also, for a non-remembering solution, use a security key with your password manager, the kind that plugs into USB and you have to tap a button to authenticate. Then you can generate a true random password and store it somewhere safe as a backup, and mainly use the key for day to day.
what about when you’re on your phone?
Authentication app is another option. I believe some password managers can be set up to take the master password once per device and then accept authenticator codes to unlock for each subsequent time.
Or, since your phone is probably a lot more locked down than your computer, almost every modern phone since like the days of the iPhone 5S has a cryptographic TPM/secure enclave in the processor while the fact that not every computer has one was a major sore spot in Windows 11 compatibility, it might also be acceptable to just leave the password manager unlocked on your phone all the time, depending on your threat model. Assuming your phone is both encrypted and password protected and you trust the OS to implement both securely, the pin on your phone works more like the pin on your credit card than a traditional password login on a non-encrypted non-TPM computer, so even if a bad actor physically had your phone, it would be very hard to actually extract data out of it without the passcode (assuming it’s just your garden variety cybercriminal and not the CIA or something), which would serve as your master password in that case. Hardware security features can also resist brute force attacks where someone clones your hard drive and hooks it up to their own computer to try and guess the encryption password without the wrong entry time delays slowing them down, a secure enclave will actually enforce the time delays with no easy bypass and can also be set to wipe the phone if you get the passcode wrong too many times.
Phone apps are also almost entirely sandboxed from each other and can’t directly access other apps’ data, so the risk of a malicious program reading the password manager’s cache or database is also far lower than most desktop operating systems.
Many security keys have NFC, or if you’re on a modern phone, you can use USB type C (Yubikey 5C)
I disagree with them.
- Emojis do not look the same on all platforms. Let’s take
white large square⬜ for example. Emojipedia shows what that emoji looks like on 26 different vendors. Some are pure white, some are shades are grey, and then there’s Microsoft who in its usual infinite wisdom decided it should be purple.large yellow square🟨 is a tossup between actually yellow and orange. This issue is also exacerbated with different displays displaying colours differently. Factors such as color accuracy, viewing angle, brightness affect how you perceive colour.
This also extends to face emojis.
grinning face with big eyes(Emojipedia link) isn’t that easy to tell apart fromgrinning eyes(Emojipedia link)- Emoji support depends on your device. I’m on Windows 11 22H2 which recently added support for
shaking face🫨. Problem is, Windows’ emoji pickerWin+.(period) doesn’t have it. Trying to login on a friends phone that’s still on iOS 15 or Android 12, beforeshaking facecame out? Enjoy manually copy/pasting the emoji from Emojipedia.
correct horse battery staple on the other hand looks the same on all devices.
- Emojis do not look the same on all platforms. Let’s take
Long time ago a friend of mine used a set of key press to generate a smiley face to put in his bios which ended up in a situation where he was not able to type in the same smiley face into the password prompt. I had to teach him to reset his bios battery to get back into the bios.
You’re a good friend
Completely useless from many sources where I have to rely on a keyboard for entering passwords.
deleted by creator
Mac os and windows? I haven’t seen it on my Mac but maybe on windows? Those are pretty modern. I haven’t seen it in Linux either now that I think of it.
win+. will bring it up in windows
there is a “Characters” app in Gnome that lets you pick emojis
Ctrl + ; should bring up an emoji picker in Linux when you have focused a text field
Yup, macOS has one too.
What part of the word “Keyboard” did you not understand?
deleted by creator
As it said in the document: With a little help from your OS. So I want to log into lemm.ee from another persons computer. I do have not my own keyboard, I neither have my additional drivers or extensions or whatever. Oops. No login.
this feeeels like the stupidest idea ive ever heard… its not like theres really an emojii standard applied as universally as text, across devices or applications… the transforms that happen… this seems fraught with terribleness
am i missing something?
Emojis are standardized exactly the same way as text is, both are defined by the unicode standard. They might not be rendered uniformly, the same way that text rendering depends on the font.
If this isn’t satire, that’s literally what Unicode and UTF-8 are
Although I agree it is risky, emoji are unicode characters, just like any other unicode character. If, and that’s a big if, the programmers do their job right, it shouldn’t matter if you use an emoji or a random kanji. It’s all just another character. That said, I don’t trust programmers enough to run the risk. Your password might work fine on the website but then fail on the mobile app.
Someone else said “good luck on the desktop”, but Windows actually has an emoji picker built right in. Win+. will bring it up. Another fun fact, usernames and computer names both support the full unicode set on Windows, including emoji. Some fun can be had with that knowledge. I haven’t tried it on Linux or MacOS yet.
I thought Emojis were a set standard but how they’re rendered can change. So whatever it is that identifies the heart emoji is universal but iPhone, Samsung, Google, etc might render that heart differently.
How they’re rendered is a set standard now too. For example there was a bit of an issue where the gun emoji could be a water pistol pointing left or a revolver pointing right… and when it was combined with a person emoji… that could lead to… issues. It’s a water pistol everywhere now.
I didn’t know that, thanks
You mean Apple changed it to a water gun and everyone followed suite as to not have an issue?
Thanks, America, and your mass shootings.
Yes there is,
. I would say most modern devices/systems utilize it too. The reason they may look different from device to device is because the presentation style can be modified by vendors, somewhat similar to using different fonts to make letters look styled.
deleted by creator
Yeah, I know, you said
I wonder how often curse words or obscure slang are included in dictionary attacks.
What about non English words, or slang? That would be interesting information to have.
Very smart idea, because everybody knows that dictionaries exist only in the English language /s
What do you imagine is the most used dictionary for dictionary attack? English must be up there, meanwhile Finnish for example isn’t going to be quite as popular
What do you imagine is the most used dictionary for dictionary attack?
Klingon, obviously. Every hacker who ever wants to become famous must be fluent in Klingon first, as we all know.
Lots of languages have local dialects and those dialects themselves can have their own slang. In Italy the local dialects can differ quite a bit. Do you think there are dictionaries for all the local slang in the Sardinian dialect? Lots of Italian maps don’t bother to even include Sardinia.
Havent read the article yet but If you have to manually input just stick to 6 or more randomly generated words (different languages if you would like to). A keyboard won’t always have options for emojis. Your password manager’s autofill/autotype everywhere else and 2fa where you can thats it dont overcomplicate things thats a good way to screw yourself over
As a software developer who has worked with a lot of symbols and emoji… PLEASE DON’T DO THIS.
Software doesn’t all handle these symbols the same way, and without tech knowledge (or even with) , it’s very possible to not be able to log in easily. I’m kinda drunk rn, but I’ll try to explain as simply as I can…
For example… skintone emojis are actually two characters, a face and a skin tone modifier. I think those ones are always two characters but some of these “multi-char” characters can be normalized into a single character. But not everyone handles this the same way. For example, Safari might normalize the emoji, but Firefox might treat it as two separate characters… And this would probably make your password not match. But basically… text has lots of edge cases; I’d advise to use normal passwords please (also maybe a password manager)
Was gonna say… you’re relying on the consistency of external emoji handlers that you don’t control. Ascii emojis are one thing.
Is my explaintion ok? The hard kombucha was… harder than I anticipated
It was pretty normal lol. Basically everything between the visual of an emoji and what “text” is entered is not in your control. So it’s great for security but not in practice as a password. What brand was the kombucha I want some.
I didn’t realize NYC has a physical Juneshine location. So I got a flight… and a Juneshine cocktail…
Thanks for the feedback! I’ll be sure to use non-printing characters instead of emojis for my passwords! (They can’t guess it if it’s invisible right?)
In all seriousness, why are people so adverse to using password managers? People are plenty willing to use the browsers built-in “remind my password” instead of a proper password solution such as bitwarden… And they come up with such “hacks” just to avoid using a proper length password.
Emojis are known to break systems in certain circumstances due to the way they’re interpreted in certain character sets.
I guarantee people doing this will not only lock out their own accounts, but may even freeze some authentication servers.
https://www.pcmag.com/news/want-to-brick-an-iphone-send-some-emojis
OTOH, there is only one character set that matters, and any system using a different one is, by that fact alone, broken.
I said only one that matters. So I already did pick one. It’s called Unicode.
UTF-8 and UTF-16 pretty much do everything, but if you have a UTF-16 emoji in a UTF-8 system, you’ll have a bad day. :(
No need to tell us how you feel every day
Those are encodings, not character sets.
IANA calls them character sets, it’s literally in the URL twice, that’s good enough for me!
That only applies to iphones that came out 2016 or earlier and we’re never updated right?
For that particular bug, yes, but there have been many other variations on that theme and not limited to Apple tech. I’ve seen it nuke an email send for example because the SMTP server choked on emojis placed in a subject, to, or from line.
Thanks I appreciate the clarification
Hahaha, I wish.
You would be amazed at how ancient and poorly maintained many web servers are on the modern internet. SQL injection still consistently make the top 3 web app vulnerabilities as of 2021. If that isn’t being sanitized properly I don’t expect emojis would be handled much better.
Thanks I wasn’t aware of that
auth servers breaking from emojis would be hilarious, pretty sure that’s why older auth servers only allow certain symbols in passwords
“Your password ‘🤣umådbrø⁉️’ is breaking our server. Please change it.”
“Of course. What is the server’s root password?”
The website should feed your password straight into a well known hashing algorithm or key derivation function that has undergone a decade or more of careful scrutiny, without any other processing. The output will usually be a fixed length base64 or hex string.
There’s a short list of about three options that are currently considered acceptable, and a few more are probably fine but are a little too easy to crack these days (e.g. anything that shares the same math as bitcoin… what if someone throws a mining datacentre at your password?)
If the site breaks, maybe you don’t to be a customer of that service.
It’s not the processing on the server that’s the problem. To reach the server the password needs to go through several layers of character encoding, if any of them fails the server will receive something different from what you meant. And when you try to login from another device and the layers will be different you’ll effectively be sending a different password.
The same character encoding that would break emoji would break a significant portion of the words names, so if your system can’t handle it, then you deserve all the trouble that you run into.
Unicode isn’t that hard.
You’re not wrong, but some systems, especially smaller ones are intended for English-only situations (or originally were) so non-English language situations might not be as well tested and/or may cause things to break.
Remember there are some sites that still refuse service if you put a
"in your password. I’m not saying it’s right, but it’s a definite possibility.
It’s not the 90s anymore.
That is very much not a 90s problem. Especially if the company has a website and an app or is a small company not thinking about these things.
In theory this shouldn’t be an issue but it definitely could be an issue on certain services.
Can you still log in to wellsfargo accounts using the T9 translation of your password?
make one account with emoji password to test their system, if it break, good, go create hour account somewhere else
and there are many trash implementations that dont recognise something like :emoticon: as shortcut and turn it into emoji, no no you have to use emoji keyboard to type them
deleted by creator
Sounds like a crappy implementation of the authentication server then, and the sysadmin deserves a paddlin’ for not stripping non-UTF characters (or making sure they work).
My problem with using emojis as part of the password would rather be that while I might be able to enter them on my personal Android phone using the exact keyboard app I have installed right now, I might find myself struggling on a desktop computer or any other phone that doesn’t have this exact keyboard installed. After all, the graphical representation of the same emoji might look different there, and there is a chance I couldn’t even recognize it.
So if anything, I’d say use a non-UTF keyboard like Thai or Chinese, but then a standard character in that specific type. Keyboards layout can be installed across devices and are fully standardized, even if the same character looks slightly different.
There’s no such thing as a non-UTF8 character. You mean non-UTF8 bytes? If a system sees those, it should reject the entire input, not try to patch it up.
also some OSKs put whitespaces after inserting an emoji, some doesn’t. there’s no unified emoji input method yet.
Stripping characters from passwords, great idea! Right up there with truncating passwords that are too long.
deleted by creator
Learn how to sanitise your database inputs first, damnit!
Doing that is actually a great way to tell attackers that you’re vulnerable to that type of attack.
Bypassing those front end restrictions is super easy, and the attackers don’t need an account or a password to attack you.
It’s like putting a sign that says “lock fragile; don’t tug” on the door to your business.
It’s like putting a sign that says “lock fragile; don’t tug” on the door to your business.
That one made me chuckle, it really do be like that 😂
That’s not how any of this works.
First of all, stripping passwords is never okay. You can reject the password and let the user choose a new one, but never just modify it on your own.
Then, if your system is at risk of code injection by certain characters in user input, please just shut it down and never turn it on again.
If some auth server breaks because I put emojis in my password then that’s right and deserved
Can you write any unicode cahracter? Gotta make passwords in cuneiform
Wingdings for life baby!
Wingdings is a font.
That was a joke. There now we both said something that was plainly obvious.
(👁 ͜ʖ👁) 𓂺
-The most secure password
Grab a sentence you know well.
Pick just the first letter of each word.
It will look like it’s random - for example “I like my lemmy only with beans and bacon” becomes “ilmlowbab” - and it comes from a far vaster possibility space (ever possible sentence and it need not even make sense) than that of “words in the English language and derived words” so it’s a lot harder to try to crack with a dictionary attack.
Also it works in everything that takes ASCII charactes (i.e. everything but numeric only pin codes).
A nice system
Security expert reveals surprising way to induce headaches
Security experts don’t actually have to work on corporate IT systems.
So you’ve set your password to contain a 😇 have you?
Ok so how are you going to type it on this desktop computer keyboard here…
Yeah I thought not.I’ll just go reset your password shall I?
win+.(works on kde too afaik…?)I’ll let you be in charge of teaching them that. I literally had to talk someone through how to type an exclamation mark today, I don’t think they’re going to handle the extended Unicode character set.
Terrible idea, good luck logging in on desktop.
You know there’s someone somewhere who would answer you with, “what’s a desktop?”
deleted by creator
I began feeling old when re**itors started calling their site an ‘app’
You can say Reddit it isn’t blasphemous
I’m still in denial 😅
Here is an alternative Piped link(s):
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
Dammit I’d forgotten that awful commercial. Angry upvote.
Listen here, you little shit
For Windows 10/11, its win+; to open the emote window.
It’s Windows logo key + . (period).
Both work for me and I haven’t messed with the keybindings for it.
Cmd+Ctrl+Spacebar on Mac
Huh! TIL ☺
Who needs Reddit when people like you are here on Lemmy.
That doesn’t work on the desktop last I checked.
But it’s actually possible to set a password with emojis anyways (or at least for domain accounts). I successfully logged in on a VM using the Hyper-V window and pasting the emoji from the host. You can also name an account a single emoji and windows actually handles it decently. It’s very likely to break a lot of programs though.
It worked on my desktop
😁👍╰(°▽°)╯
Works even in notepad on Windows 11, lol
Oh I meant the lock screen, sorry. As far as I know it works everywhere except the lock screen.
oh, I never tried. There goes that option. Wonder if that was intention to prevent people from trying to use emoji passwords because they didn’t trust windows to handle it.
It’s probably just because the emoji panel is a program and the lock screen has very limited or any capabilities to run any programs. And trying to make it the emoji panel to function on the lock screen is pretty much a waste of time anyways.
Its worked on desktops for years and works right now. As someone else pointed out “win+.” works as well. Or maybe its supposed to be the only way it works and mine is bugged? Idk. I found it via trying to lock my desktop and mistyping.
Under Windows press Win+.
Wait, you can’t type emoji on your desktop? I feel sorry for you. 🥺
I have no idea how you could either. I don’t know how to create them with s keyboard
Firefox has an addon that opens up an emoji panel.
Winkey + .
Works on Windows and some Linux distros by default
