Security expert reveals surprising way to make your password stronger: use emojis

Cosmos7349 , 7 months ago (edited 7 months ago)

As a software developer who has worked with a lot of symbols and emoji… PLEASE DON’T DO THIS.

Software doesn’t all handle these symbols the same way, and without tech knowledge (or even with) , it’s very possible to not be able to log in easily. I’m kinda drunk rn, but I’ll try to explain as simply as I can…

For example… skintone emojis are actually two characters, a face and a skin tone modifier. I think those ones are always two characters but some of these “multi-char” characters can be normalized into a single character. But not everyone handles this the same way. For example, Safari might normalize the emoji, but Firefox might treat it as two separate characters… And this would probably make your password not match. But basically… text has lots of edge cases; I’d advise to use normal passwords please (also maybe a password manager)

banneryear1868 , 7 months ago

Was gonna say… you’re relying on the consistency of external emoji handlers that you don’t control. Ascii emojis are one thing.

Cosmos7349 , 7 months ago

Is my explaintion ok? The hard kombucha was… harder than I anticipated

banneryear1868 , 7 months ago

It was pretty normal lol. Basically everything between the visual of an emoji and what “text” is entered is not in your control. So it’s great for security but not in practice as a password. What brand was the kombucha I want some.

Cosmos7349 , 7 months ago

I didn’t realize NYC has a physical Juneshine location. So I got a flight… and a Juneshine cocktail…

stardreamer , 7 months ago

Thanks for the feedback! I’ll be sure to use non-printing characters instead of emojis for my passwords! (They can’t guess it if it’s invisible right?)

In all seriousness, why are people so adverse to using password managers? People are plenty willing to use the browsers built-in “remind my password” instead of a proper password solution such as bitwarden… And they come up with such “hacks” just to avoid using a proper length password.

SuddenlyBlowGreen , 7 months ago

Just use a password manager, goddamn.

RagingRobot , 7 months ago

But only save emojis in it lol

fosstulate , 7 months ago

Two of my colleagues still use locally stored plaintext for individual work credentials, despite having been shown where the password manager is. Both have accessed their files in front of me. If it’s not in those files it’s saved in the browser (because convenience is a hell of a drug). Now you start to see why discrete managers have a hard time, even amongst technology workers.

SuddenlyBlowGreen , 7 months ago

Yeah, you can lead a horse to water, and whatnot.

Treczoks , 7 months ago

Completely useless from many sources where I have to rely on a keyboard for entering passwords.

drugo , 7 months ago

Most modern OSes feature emoji pickers though

RagingRobot , 7 months ago

Mac os and windows? I haven’t seen it on my Mac but maybe on windows? Those are pretty modern. I haven’t seen it in Linux either now that I think of it.

ayyansea , 7 months ago

there is a “Characters” app in Gnome that lets you pick emojis

dbilitated , 7 months ago

win+. will bring it up in windows

paraphrand , 7 months ago

Yup, macOS has one too.

pajn , 7 months ago

Ctrl + ; should bring up an emoji picker in Linux when you have focused a text field

Treczoks , 7 months ago

What part of the word “Keyboard” did you not understand?

drugo , 7 months ago

Idk, mine can. docs.qmk.fm/#/feature_unicode

Treczoks , 7 months ago

As it said in the document: With a little help from your OS. So I want to log into lemm.ee from another persons computer. I do have not my own keyboard, I neither have my additional drivers or extensions or whatever. Oops. No login.

Agent641 , 7 months ago (edited 7 months ago)

For petty services where you don’t want to have to break out the password manager, try making your own mental salted hash.

Pick four long words at random. Assign each of these to the four quadrants of the alphabet.

A-F - Equipment

G-M - Triumphant

N-S - Sampling

U-Z - Fatigued

Pick one number:

4

Now, take the first letter of the service that the password is for, and that selects your quadrant word. Take the number of letters in the service and multiply it against your number. Take the last letter of the service, and on your querty keyboard, move all the way to the right of thst line to select the first symbol there. Thats your unique password thats salted with yo ur personal words and number.

Facebook = Equipment32:

Lemmy = Triumphant20{

Pizza Hut = Sampling36{

If you want more security for these petty services, use longer words, bigger number, or use some other metric, Tweak the algorithm to make it unique to you. Maybe capitalize a middle letter in your salt word based on the length of the service name. Maybe add the first letter of the colour of the service logo to the password, EG

Facebook = Equipment32:B

Lemmy = Triumphant20{T

Pizza Hut = Sampling36{R

Petty services I would consider to be anything that’s not super critical, and is at a higher likelyhood of breaching my shit.

For banks, primary emails, or government services, use a more complex algorithm or a random string of chars from your password manager.

adrian783 , 7 months ago

too short, for all that effort just use a sentence with a symbol and a number.

FacebookCanGoToHell!123 is more secure and easy to remember

Agent641 , 7 months ago

Youre going to memorize a unique sentence for each service?

A method like this allows you to memorize only 4 words of arbitrary length, a number, and a simple algorthm to yield unique passwords for each service.

Rubanski , 7 months ago

Also you can’t really “forget” a password, because it’s connected to the name of the site. Very clever

Evotech , 7 months ago

You can also add a standard phrase to all of them that is shared between them all just to make them more complex

Equipment32:thisismypassword

adrian783 , 7 months ago

yes, it is what I do now. there was a time when people memorized 10, 15 phone numbers.

banneryear1868 , 7 months ago

Yeah putting the name of the service in the passphrase is actually pretty secure, unless the rest of the password is like “thisisapasswordforFACEBOOK” cause then one password gets leaked and the rest can be inferred.

kpb , 7 months ago

Just come up with one strong password (see xkcd.com/936/) for your password manager and use randomly generated passwords for everything else. There’s no reason to manually compute a hash every time you sign up for a service.

HiddenLayer5 , 7 months ago

Also, for a non-remembering solution, use a security key with your password manager, the kind that plugs into USB and you have to tap a button to authenticate. Then you can generate a true random password and store it somewhere safe as a backup, and mainly use the key for day to day.

dbilitated , 7 months ago

what about when you’re on your phone?

floridaman , 7 months ago

Many security keys have NFC, or if you’re on a modern phone, you can use USB type C (Yubikey 5C)

HiddenLayer5 , 7 months ago

Authentication app is another option. I believe some password managers can be set up to take the master password once per device and then accept authenticator codes to unlock for each subsequent time.

Or, since your phone is probably a lot more locked down than your computer, almost every modern phone since like the days of the iPhone 5S has a cryptographic TPM/secure enclave in the processor while the fact that not every computer has one was a major sore spot in Windows 11 compatibility, it might also be acceptable to just leave the password manager unlocked on your phone all the time, depending on your threat model. Assuming your phone is both encrypted and password protected and you trust the OS to implement both securely, the pin on your phone works more like the pin on your credit card than a traditional password login on a non-encrypted non-TPM computer, so even if a bad actor physically had your phone, it would be very hard to actually extract data out of it without the passcode (assuming it’s just your garden variety cybercriminal and not the CIA or something), which would serve as your master password in that case. Hardware security features can also resist brute force attacks where someone clones your hard drive and hooks it up to their own computer to try and guess the encryption password without the wrong entry time delays slowing them down, a secure enclave will actually enforce the time delays with no easy bypass and can also be set to wipe the phone if you get the passcode wrong too many times.

Phone apps are also almost entirely sandboxed from each other and can’t directly access other apps’ data, so the risk of a malicious program reading the password manager’s cache or database is also far lower than most desktop operating systems.

splines , 7 months ago

The problem with using hash schemes like this is that when your password is leaked you can’t easily rotate the password.

bdkmshr , 7 months ago

Not to mention if you suddenly developed amnesia or dementia

lemmyingly , 7 months ago

This is what got me using a password manager. I didn’t want to trust a password manager because it felt like they would be highly targeted and one vulnerability would reveal everything. And let’s be honest they still are the same.

So I had my own scheme for generating passwords. I made myself a script that I could use on my phone and PC. It worked beautifully and effortlessly until occasionally a service would force me to choose a new password. When this started happening I made a new scheme for generating passwords and made a new script. When it first happened it was still reasonably easy because there was only one service I had to use the alternative. It started to become more difficult the more services asked for a new password.

I used my own system for several years until I had enough with trying to remember which services used the alternative scheme and wondered when I’d have to make a third scheme. And if I did then the mental complexity would significantly increase.

Interestingly only a couple of services publicly announced they had been hacked and none of my passwords have ever appeared on haveibeenpwned. So I wonder why these services asked for a new password and if they had been attacked why they chose not to announce it.

Arfman , 7 months ago

Long time ago a friend of mine used a set of key press to generate a smiley face to put in his bios which ended up in a situation where he was not able to type in the same smiley face into the password prompt. I had to teach him to reset his bios battery to get back into the bios.

Salamendacious OP , 7 months ago

You’re a good friend

kromem , 7 months ago

No. There’s only one piece of advice that should be given to users in 2023 about how to make their passwords stronger:

Use a password manager

Just use 32 character random alphanumeric passwords that are unique for each site (you can do more like 12-16 characters if you’ll ever need to enter manually).

This is it. Stop trying to create clever passwords that you can remember. You aren’t as uniquely creative as you think and there’s been bodies of research into how the various things people do to create passwords that look secure can reduce the generation space so much that they become considerably easier to crack with an intelligent algorithm.

Test your ability to be unpredictable

shucks , 7 months ago

I got it to a stable 54% by using an

algorithmtyping f or d for consonants and vowels respectively in sentences I thought up, switching languages regularly,

and a stable 56% by just typing randomly and adjusting my patterns based on the colored output, which might have skewed my results. Certainly a very cool tool, I also liked the explanation linked on the page!

lemmyingly , 7 months ago

How many websites/services don’t support such lengthy passwords these days?

kromem , 7 months ago

Few, but those that don’t you can just shorten the length generated.

lazycouchpotato , 7 months ago

I disagree with them.

1. Emojis do not look the same on all platforms. Let’s take white large square ⬜ for example. Emojipedia shows what that emoji looks like on 26 different vendors. Some are pure white, some are shades are grey, and then there’s Microsoft who in its usual infinite wisdom decided it should be purple. large yellow square 🟨 is a tossup between actually yellow and orange. This issue is also exacerbated with different displays displaying colours differently. Factors such as color accuracy, viewing angle, brightness affect how you perceive colour.
   https://lemmy.world/pictrs/image/4300511f-3280-480f-9b33-07a24f8974cf.png

This also extends to face emojis. grinning face with big eyes (Emojipedia link) isn’t that easy to tell apart from grinning eyes (Emojipedia link)

2. Emoji support depends on your device. I’m on Windows 11 22H2 which recently added support for shaking face 🫨. Problem is, Windows’ emoji picker Win + . (period) doesn’t have it. Trying to login on a friends phone that’s still on iOS 15 or Android 12, before shaking face came out? Enjoy manually copy/pasting the emoji from Emojipedia.

correct horse battery staple on the other hand looks the same on all devices.

Aceticon , 7 months ago

Grab a sentence you know well.

Pick just the first letter of each word.

It will look like it’s random - for example “I like my lemmy only with beans and bacon” becomes “ilmlowbab” - and it comes from a far vaster possibility space (ever possible sentence and it need not even make sense) than that of “words in the English language and derived words” so it’s a lot harder to try to crack with a dictionary attack.

Also it works in everything that takes ASCII charactes (i.e. everything but numeric only pin codes).

Salamendacious OP , 7 months ago

A nice system

Aceticon , 7 months ago

deleted_by_author

echodot , 7 months ago

Yeah, I know, you said

PlexSheep , 7 months ago

Just use longer passwords?

Salamendacious OP , 7 months ago

What’s do you think is a good length? I think it has to be at least 10 but over 15 is much better.

Something_Complex , 7 months ago

Idk exactly how accurate this is but seems valid

https://lemmy.world/pictrs/image/fa3e6401-6c6a-47c2-b491-9f69fd8659df.jpeg

atkion , 7 months ago

The colors on that are kinda confusing. 6tn years is yellow, but 2k years is green?

SnipingNinja , 7 months ago

It seems like the designer didn’t notice the error

bnfdhfdhfd , 7 months ago

So those annoying as hell “6 character, lowercase and uppercase letters, special character” passwords give a full 6 minutes of protection. Good to know.

ngcbassman , 7 months ago

For 6 characters is 5 seconds. I like the idea of using passphrases that mix casing with symbols but still they look like like real words, it make easier to write them down when you need them and they can be very long, so they are quite secure, of course using a password manager to be able to manage them.

bnfdhfdhfd , 7 months ago

Damn, even worse than I thought. I wish someone would show this to the people who set those ridiculous password requirements.

I was glad when my work did away with monthly password changes and went with 15 characters minimum as the only requirement.

echodot , 7 months ago

Why is 1,000 years yellow in that graph?

If a password can’t be broke in 1,000 years it is utterly unbreakable in any effective sense of the term. No one’s going to run the program for a thousand years because even if they did it wouldn’t be relevant at the end of the process.

Hell even 51 years is pushing it.

The_Vampire , 7 months ago

Well, the rate passwords can be tested at now may not always be the rate passwords can be tested at later. Computers were, at one point, growing exponentially faster in terms of processing power. There are still several emerging technologies out there that could cause significant speed-ups.

It’s certainly better to future-proof your passwords.

dbilitated , 7 months ago

I wonder if this assumes the cracker knows how long etc the password is when they start cracking.

I always make my passwords “a” because I figure they’ll start cracking attempts at 5 characters 😁

fosstulate , 7 months ago

In EVE Online that’s called ‘getting underneath the guns’. 🎓

PlexSheep , 7 months ago

Rookie numbers. Max out the character limit.

Seriously tho: go for at least 80 bit randomized characters. If it’s something you have to type, use a couple of random words. Longer passwords are exponentially more secure.

Salamendacious OP , 7 months ago

All I can picture in my head is Matthew mcconaughey telling Leonardo DiCaprio he needs to masturbate more

314xel , 7 months ago

It depends on how the password is stored / KDF used (what type of hash, salting, bcrypt, etc).

Judge for yourself if it’s an old website or old piece of software that might use (god forbid) MD5. Since one would not normally know that, I’d go with 20 (good, cryptographically) randomly generated upper/lower/digits if using a password manager, or 40ish characters passphrase if you need to remember and/or easily type it. Add some punctuation / special chars (spaces, commas, dots, paranthesis, etc) if it’s an important masterkey (ie password manager key, encrypted container, etc) and you have decent typing skills.

Some shitty sites / routers don’t accept certain special characters hence go with upper/lower/digits as standard but use longer lengths (if the shitty site allows you and doesn’t limit that too). Limits to what a password should contain and/or length limits would be a sign of lazy programming and poor password management, so treat them as unsecure from the get-go (yes, even big names like Oracle have piss-poor security or lazy implementation). Good programming nowdays shouldn’t have those limits, as user input sanitization / injection protection exists, and hash functions have a fixed length no matter what the input length is.

Also very important, don’t reuse passwords for online accounts. Hence a password manager remembering them for you. There are still websites storing passwords in plain text. You wouldn’t want your local pizza hut know or leak your email password by being hacked.

kapx132 , 7 months ago

or just use special characters of languages like: ą, ę, ø, č

Salamendacious OP , 7 months ago

Do you have trouble on physical keyboards?

Grass , 7 months ago

Programmable or modded keyboard with qmk and you can physical key some pretty wacky stuff if you really wanted to.

bradbeattie , 7 months ago

Or en.m.wikipedia.org/wiki/Zero-width_space ? But seriously, just use unique random strings likely through a password manager.

spark947 , 7 months ago

Until you get to a prompt that doesn’t support unicode.

xantoxis , 7 months ago

Oh for fuck’s sake, just turn on 2FA

BrianTheeBiscuiteer , 7 months ago

Sounds great where it works but I’m sure most systems would reject an emoji or make you type out some overly complex password in addition to your emoji.

Toribor , 7 months ago

Honestly you’d be surprised how many places it just works magically. I was surprised to find that Office365 users could use emojis in names for Microsoft Teams which had no problem syncing those accounts back to an on-prem Active Directory. You can use emojis to name a whole SQL database, let alone users/passwords on it.

I keep wondering if I need to figure out how to turn that off but it hasn’t caused any problems. It’s definitely sketchy looking though when you see a bunch of normal usernames and then suddenly one is just ten snowman emojis in a row.

Honytawk , 7 months ago

Emojis are just a string of special characters that get recognised and replaced by an image anyway. It is the same as using those special characters separately.

echodot , 7 months ago

It’s all just Unicode so in theory a password system shouldn’t think that emoji or any more interesting than any other character. To a computer the letter B and the emoji ✈️ equivalent in that they’re both just normal characters that one can type.

Sort of, emoji are usually treated as two or more normal characters so ✈️ might be equivalent to BB. But the basic point is the same.

Dark_Arc , 7 months ago

It should work reasonably well in password systems that hash the password from a UTF-8 encoding… Which should be most things really. If the system is trying to process everything with ASCII, maybe not. It might even appear to work but get converted to some other character (which is kind of the worst case)… That should be rare in web applications though

sarmale , 7 months ago

Can you write any unicode cahracter? Gotta make passwords in cuneiform

Salamendacious OP , 7 months ago

Wingdings for life baby!

rdri , 7 months ago

Wingdings is a font.

Salamendacious OP , 7 months ago

That was a joke. There now we both said something that was plainly obvious.

bingbong , 7 months ago

(👁 ͜ʖ👁) 𓂺

-The most secure password