Emojis are known to break systems in certain circumstances due to the way they’re interpreted in certain character sets.
I guarantee people doing this will not only lock out their own accounts, but may even freeze some authentication servers.
https://www.pcmag.com/news/want-to-brick-an-iphone-send-some-emojis
The website should feed your password straight into a well known hashing algorithm or key derivation function that has undergone a decade or more of careful scrutiny, without any other processing. The output will usually be a fixed length base64 or hex string.
There’s a short list of about three options that are currently considered acceptable, and a few more are probably fine but are a little too easy to crack these days (e.g. anything that shares the same math as bitcoin… what if someone throws a mining datacentre at your password?)
If the site breaks, maybe you don’t to be a customer of that service.
Can you still log in to wellsfargo accounts using the T9 translation of your password?
make one account with emoji password to test their system, if it break, good, go create hour account somewhere else
It’s not the processing on the server that’s the problem. To reach the server the password needs to go through several layers of character encoding, if any of them fails the server will receive something different from what you meant. And when you try to login from another device and the layers will be different you’ll effectively be sending a different password.
The same character encoding that would break emoji would break a significant portion of the words names, so if your system can’t handle it, then you deserve all the trouble that you run into.
Unicode isn’t that hard.
It’s not the 90s anymore.
auth servers breaking from emojis would be hilarious, pretty sure that’s why older auth servers only allow certain symbols in passwords
“Your password ‘🤣umådbrø⁉️’ is breaking our server. Please change it.”
“Of course. What is the server’s root password?”
If some auth server breaks because I put emojis in my password then that’s right and deserved
Sounds like a crappy implementation of the authentication server then, and the sysadmin deserves a paddlin’ for not stripping non-UTF characters (or making sure they work).
My problem with using emojis as part of the password would rather be that while I might be able to enter them on my personal Android phone using the exact keyboard app I have installed right now, I might find myself struggling on a desktop computer or any other phone that doesn’t have this exact keyboard installed. After all, the graphical representation of the same emoji might look different there, and there is a chance I couldn’t even recognize it.
So if anything, I’d say use a non-UTF keyboard like Thai or Chinese, but then a standard character in that specific type. Keyboards layout can be installed across devices and are fully standardized, even if the same character looks slightly different.
also some OSKs put whitespaces after inserting an emoji, some doesn’t. there’s no unified emoji input method yet.
There’s no such thing as a non-UTF8 character. You mean non-UTF8 bytes? If a system sees those, it should reject the entire input, not try to patch it up.
OTOH, there is only one character set that matters, and any system using a different one is, by that fact alone, broken.
I said only one that matters. So I already did pick one. It’s called Unicode.
UTF-8 and UTF-16 pretty much do everything, but if you have a UTF-16 emoji in a UTF-8 system, you’ll have a bad day. :(
Those are encodings, not character sets.
IANA calls them character sets, it’s literally in the URL twice, that’s good enough for me!
No need to tell us how you feel every day
and there are many trash implementations that dont recognise something like :emoticon: as shortcut and turn it into emoji, no no you have to use emoji keyboard to type them
deleted by creator
That only applies to iphones that came out 2016 or earlier and we’re never updated right?
Hahaha, I wish.
You would be amazed at how ancient and poorly maintained many web servers are on the modern internet. SQL injection still consistently make the top 3 web app vulnerabilities as of 2021. If that isn’t being sanitized properly I don’t expect emojis would be handled much better.
Thanks I wasn’t aware of that
For that particular bug, yes, but there have been many other variations on that theme and not limited to Apple tech. I’ve seen it nuke an email send for example because the SMTP server choked on emojis placed in a subject, to, or from line.
Thanks I appreciate the clarification
💯🐴🔋(umm, staple)
Correct horse battery staple!
But was it a 💯 or was it a ✅? Damn neither. Let’s try with 👍…
Jeez, you’re right. We got pens, pencils, stock charts, even those folders with the colored label tabs, but no stapler, the most basic of office equipment.
When it’s added, I expect most implementations will make it red.
I want it to be pregnant
Preganant?
If a women has starch masks on her body does that mean she has been pargent before?
¿Preganté?
Hopefully it’s compatible with skin tone modifier.
Good luck logging in a Smart TV.
Security Experts probably don’t log into smart tvs all that often. Just a guess.
Sorta how car designers never have to actually fix cars.
But why wouldn’t it make sense to need to pull the cab off of a pickup truck to change the spark plugs?
Car expert
Well how about my paddle car
That’s true for all car designers. You’re referring to the shitty designers, though.
Architects don’t get involved in the actual construction of a building either.
Oh they do. They come to tell you that the safety protocols you’ve implemented are interfering with their design.
They’d prefer it if it looked pretty and then just fell down and light breeze thank you very much
Logging in a smart tv? Lol!
All the apps I’ve used recently use QR codes (or similar measures, like a sync code) that has you log in from the phone, so it should work anyway!
But not all apps, sadly, I just experimented it with Crunchyroll, and saw my dad struggling with a crappy app called Vix yesterday.
Fair enough. I’m mostly using “big ones” plus SmartTube.
In my experience the only one that works with any degree of reliability is YouTube. Even the Netflix one can be fairly intermittent.
Also a lot in the time you’ll go away and the hotel you’re in will have a smart TV and the software was last updated in 2011 so you have to sign in on the device.
Scan the QR code and log in on your phone. Oooh scary
I’ve had to manually type in passwords on a TV several times in the last few months because sometimes the login for even the biggest brand-name services is just broken.
Security expert reveals surprising way to induce headaches
Security experts don’t actually have to work on corporate IT systems.
So you’ve set your password to contain a 😇 have you?
Ok so how are you going to type it on this desktop computer keyboard here…
Yeah I thought not.I’ll just go reset your password shall I?
win+.
(works on kde too afaik…?)I’ll let you be in charge of teaching them that. I literally had to talk someone through how to type an exclamation mark today, I don’t think they’re going to handle the extended Unicode character set.
Terrible idea, good luck logging in on desktop.
You know there’s someone somewhere who would answer you with, “what’s a desktop?”
Listen here, you little shit
Dammit I’d forgotten that awful commercial. Angry upvote.
I began feeling old when re**itors started calling their site an ‘app’
You can say Reddit it isn’t blasphemous
I’m still in denial 😅
deleted by creator
Wait, you can’t type emoji on your desktop? I feel sorry for you. 🥺
For Windows 10/11, its win+; to open the emote window.
It’s Windows logo key + . (period).
Both work for me and I haven’t messed with the keybindings for it.
That doesn’t work on the desktop last I checked.
But it’s actually possible to set a password with emojis anyways (or at least for domain accounts). I successfully logged in on a VM using the Hyper-V window and pasting the emoji from the host. You can also name an account a single emoji and windows actually handles it decently. It’s very likely to break a lot of programs though.
It worked on my desktop
😁👍╰(°▽°)╯
Works even in notepad on Windows 11, lol
Oh I meant the lock screen, sorry. As far as I know it works everywhere except the lock screen.
oh, I never tried. There goes that option. Wonder if that was intention to prevent people from trying to use emoji passwords because they didn’t trust windows to handle it.
It’s probably just because the emoji panel is a program and the lock screen has very limited or any capabilities to run any programs. And trying to make it the emoji panel to function on the lock screen is pretty much a waste of time anyways.
Its worked on desktops for years and works right now. As someone else pointed out “win+.” works as well. Or maybe its supposed to be the only way it works and mine is bugged? Idk. I found it via trying to lock my desktop and mistyping.
Who needs Reddit when people like you are here on Lemmy.
No. There’s only one piece of advice that should be given to users in 2023 about how to make their passwords stronger:
Use a password manager
Just use 32 character random alphanumeric passwords that are unique for each site (you can do more like 12-16 characters if you’ll ever need to enter manually).
This is it. Stop trying to create clever passwords that you can remember. You aren’t as uniquely creative as you think and there’s been bodies of research into how the various things people do to create passwords that look secure can reduce the generation space so much that they become considerably easier to crack with an intelligent algorithm.
How many websites/services don’t support such lengthy passwords these days?
Few, but those that don’t you can just shorten the length generated.
Oh for fuck’s sake, just turn on 2FA
xkcd still has the best approach to this; four random common words
I like doing entire phrases with some rhymes thrown in. Makes it easier to remember them.
“BonyTonyMoansHe’sOnlyGrownLonely” has a shitload of characters, and a full sentence (even a nonsensical one like that) is more memorable to me than a random handful of disparate words.
The more ridiculous, the better. (And, naturally, don’t forget your numbers and symbols)
EDIT: Actually, no idea why I made it all one group of words. So long as spaces are in the password’s character space (and they very well should be if friggin’ emojis are), there’s nothing stopping you from doing an entire, punctuated sentence- other than that we’ve been conditioned not to think of a password that way.
“Skinny Kenny’s friend, Mini Ben, has 20 chins.” That should be a fully-acceptable password with 46 characters (48 if you add the quotes), capital letters, numbers, and special characters.
You can’t compare a 46 random character password to a password composed out of words, the entropy of each is very different. Your kind of password is vulnerable to dictionary attacks which are way more common and easy than brute forcing every possibility. A 50+ characters unique random password for each service that is stored in a password manager which is encrypted with a 20+ characters random password is the most secure and future proof (for now).
If the attacker doesn’t know that you’re using a dictionary password, then dictionary attacks probably won’t be their first choice. I want to remember these passwords across devices and on guests.
Like someone else said on this thread; that’s just security by obscurity, which is bad. Dictionary attacks will be one of the first (brute force related) attacks attackers will use because word passwords are incredibly popular (though admittedly of fewer words: VeryBigDog34 etc…), and relatively easy to do. I agree that having the password across different devices is somewhat of a challenge with a password manager, but not impossible. My very long and complex password is all down to muscle memory by this point, I couldn’t tell you what it is from memory.
Also you shouldn’t use the same password on multiple things and if you don’t use a password manager you will need to memorize a lot of different passwords.
Dictionary attacks aren’t some magic bullet. There are a lot of english words and just four of them IS comparable in cracking difficult to a standard 8-char password that is as random as you can make it. There are a lot more words than there are symbols. Four words is obviously not as good as 46 totally random chars
Dictionary attacks are definitely not a magic bullet, they require a lot of processing power, just like any other brute-force attack, but not more because of their longer length, as has been implied.
True, there are a lot of english words, but the amount of common words is relatively small. Most people aren’t going to choose a password like “MachicolationRemonstranceCircumambulationSchadenfreude”, even if it were generated for them (which is unlikely).
Sure, it is comparable to a standard 8 characters passward, but even that kind of password is verging on the insecure (it is the absolute minimum, which should be avoided when possible).
There are also a lot of symbols when you count emojies and the entire Unicode standard.
I love it, Bitwarden has supported generating passphrase style passwords for a while and it’s basically that. It’s my go-to these days.
Four words is too low these days to protect against gpu bruteforcing
Got a source on that?
Edit: plus brute forcing is just one scenario. I think the xkcd comic refers to using passwords in online services, and those usually have some sort of rate limiting.
That only works if someone already has access to a system’s password database.
Just be sure to throw in symbols and numbers to beef it up. Dictionary words are easier to brute force.
Not 4 of them in a row. Keep in mind the attacker doesn’t know " look for exactly 4 words"
I prefer picking a sentence or so that has meaning to me, using the first letters, and then adjusting for numbers/symbols. So if I wanted to make that a pw, it’d be 1ppa505thm2m,utfl,atafn/5. -looks completely unintelligible, but as long as you can remember the sentence and have some ideas of how you would have encoded it, easy enough to remember/recreate.
good luck remembering all of those for every account you create, though.
It’s as easy to remember a bunch of those as it is remembering 4 random words with no association, I think. And besides, just use that for the big, important, pws like your pw manager.
Password database
I’d rather staple my forehead to a telephone pole before I ever think about using an emoji in a password. Those things are abominations!
Out of curiosity, what makes you say so?
Edit: Oh. Did a “Wooosh” happen to me right now? Are you being ironic and referring to the XKCD thing about how to make a secure password using words in phrases?
I think OP is conflating the use of emojis in passwords with the use of emojis by the general public.
Yes, it’s annoying to read stuff like “Hi 😃😃😃😃 I am Bob ♥️♥️♥️😎😎😎😎,” but that doesn’t mean that using them in passwords is a bad idea.
deleted by creator
I can agree with you. I’m curious what these reasons are, though?
Because they’re a major pain to type, except for the most common ones?
👆
Until you get to a prompt that doesn’t support unicode.
Just use a password manager, goddamn.
But only save emojis in it lol
Sounds great where it works but I’m sure most systems would reject an emoji or make you type out some overly complex password in addition to your emoji.
It’s all just Unicode so in theory a password system shouldn’t think that emoji or any more interesting than any other character. To a computer the letter B and the emoji ✈️ equivalent in that they’re both just normal characters that one can type.
Sort of, emoji are usually treated as two or more normal characters so ✈️ might be equivalent to BB. But the basic point is the same.
What’s up with all the hate for emojis lmao
People who use them tend to spam the hell out of them. Like, 8 of the same emoji. And they use them every other sentence. It’s obnoxious, you only need one or two to get the point across.
Antisocial people.
It was the same on Reddit. All of the people who despised emojis were often posting in really cringe and incel related subs.
My use of emojis sky rocketed after I started dating. They are fun and convey emotion really well.
I’m convinced emojis are what has been missing from language for a long time. They are great way to portray emotions through texts, which otherwise could not be achieved.
This way there is a difference between:
“You are so amazing 😁👍”
and
"You are so amazing 🙄 "
"You are so amazing 🙄 "
Greatest put down ever.
deleted by creator
If I’m going to be relaying through to people strictly over text as much as I do these days, I better have a way to articulate it with the right emotional range to match my sparkling personality ✨
🤣
🍆✊💦🍳
😔
They didn’t exist yet when I was an early teenager, all we had were emoticons that might be replaced by images by the forum software, so of course I think they’re stupid /s
Without sarcasm, it is a good thing we have standardized symbols now and don’t have to implement emoticon replacement into forum or chat or social media software. If only because half of such implementations replaced any occurrence of the number 8 followed by a closing parenthesis with 😎 even when that wasn’t the intended meaning (one can think of many other times one would end a parenthetical statement with the number 8).
…no
Can you write any unicode cahracter? Gotta make passwords in cuneiform
(👁 ͜ʖ👁) 𓂺
-The most secure password
Wingdings for life baby!
Wingdings is a font.
That was a joke. There now we both said something that was plainly obvious.