You can totally use emojis as passwords. You can probably even make this a policy at your company.

Edit: I thought this was an obvious enough joke, but just to clear things up: Only do this if you hate your company and everyone working there.

  • Tibert@jlai.lu
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    1 year ago

    Using emoji is a bad idea.

    Here is why (without a password manager which removes the hard, but not the incompatible) :

    • some emojis can be inexistent on other devices. So you may not be able to log in on another device.
    • An emoji is hard to remember if you need to type them with an alt code, while also being easy to crack.
    • For a computer, and emoji is nothing else than a character. So hard to type, easy to crack.
    • More likely you use an emoji someone else used. So it could maybe be easier to crack.

    And you don’t need to believe me https://nordpass.com/blog/emoji-passwords/

    • deadcade@lemmy.deadca.de
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      NordPass is completely incorrect on the "it makes a password easier to “crack” thing.

      I absolutely don’t recommend using emojis in your password, as it is far too easy to get locked out. However, a password containing an emoji is significantly harder to crack.

      Hashing is a process used to calculate a large number based on some input data. If the input is the same, the output is the same. If the input differs just slightly, the output is completely different. This process is mathematically irreversible. Since this (and other techniques) is often used for passwords, to “crack”/bruteforce a password, the attacker has to go through every possible combination of input data, calculate the hash, and check if the hash is the same as the password hash.

      To make the process of bruteforcing a hash quicker, an attacker often makes assumptions about the input data. If they know a password contains 8 characters, and only lowercase letters, this massively narrows down the amount of passwords that need to be hashed and checked. If they know the password contains someones birth year, that too reduces the time to bruteforce a password.

      The more possible characters you have per position in your password, the longer it will take to bruteforce. An 8 character password with just lowercase letters has 208.827.064.576 possible combinations. This sounds like a lot, but it’s often bruteforced rather quickly. Adding uppercase letters and numbers to that, we’re already at 218.340.105.584.896 possible combinations. That’s ~1000x more combinations, and that’s for 8 characters. It’s the difference between bruteforcing taking a day, and taking 1000 days. (Do note an 8 characters lowercase password probably only takes like a few seconds to minutes, not a full day.)

      According to https://emojipedia.org/stats there are 3664 different emojis. Lets say we create an 8 emoji password. (some emojis aren’t one character internally, the same principle still applies.) Just 8 completely randomly chosen emojis. That password would have 32.482.071.647.592.311.234.920.185.856 different possible combinations. That is about 148.768.232.755.857 times more combinations than an 8 character uppercase+lowercase+numbers password. That is the difference between bruteforcing taking a day or taking 407584199331 years.

      The same things as non-emoji passwords still apply, you can make assumptions about which emojis are used. People aren’t entirely random, so chances are higher they used some of the more common emojis. However, that is similar to prioritizing the letter “e” because it is more common. Yes, it’ll probably reduce the time taken to bruteforce a bunch of passwords, but it’s not set in stone that every password will even contain the letter “e”.

      Again, due to the potential of breaking things, locking yourself out, etc. I DO NOT recommend using emojis. Use a password manager with longer passwords.

      However, including an emoji in your password makes it significantly more difficult to bruteforce. As the assumption that the characters in your password are letters, numbers, and symbols no longer holds, which drastically increases the possible number of combinations.

      • deadcade@lemmy.deadca.de
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        For somewhat more realistic numbers:

        According to minerstat.com, an NVidia RTX 4090 has a hashrate of 118.07MH/s. This is 118.07 Megahashes per second, or 118.070.000 hashes per second. For a password with only 8 lowercase letters (208.827.064.576 combinations), it would take an RTX 4090 approximately 1769 seconds (or ~30 minutes) to go through all possible combinations. For an 8 character upper+lower+numbers password (218340105584896 combinations) it would take 1849243 seconds, or 21.4 days.

        For an 8 emoji password (32482071647592311234920185856 combinations), it would take 275.108.593.610.504.896.512 seconds, or 8.723.636.276.335 years.

        Lets say a magic prediction algorithm reduces the number of possible combinations in each password to 1 out of every 1 million previously possible combinations. 8 lowercase letters would be cracked instantly, while an 8 emoji password would still take 8.723.636 years.

        • These statistics aren’t entirely correct. There are 3664 emoji, so an 8 emoji password would take ½*3664^8 attempts to crack on average, or 1.6 * 10^28 attempts or about 10^20 seconds on a single 4070. That’s ignoring the fact emoji are more than one single byte; at byte level, an 8 emoji password is probably 24 bytes long, but it can be much longer.

          Now, this number could be reduced by a dictionary attack (⚽ doesn’t get combined with gender or skin tone, generally) and emoji like 🏴󠁧󠁢󠁳󠁣󠁴󠁿 can increase the number (🏴󠁧󠁢󠁳󠁣󠁴󠁿 is one glyph but encoded in 28 bytes!).

          In practice, though, I don’t think people would be able to remember whether they used 💙 or 🩵. That makes it rather unpractical for normal people to use. Also, software isn’t generally tested for this. The Steam Deck had a bug on release where it would crash and reboot if you opened up the emoji selection screen in the password field for initial setup, for example.

          Just adding a single emoji to a password would probably make it uncrackable already, because brute forcing tools like John the Ripper don’t include these unicode ranges by default. Then again, so does adding 𓂸.

    • Luccus@feddit.deOP
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      1 year ago

      We are sorry, your request could not be processed. 😊

      As you know, at Corp.inc we believe that the most important thing there is, is human connection. ❤️ For this reason, every complaint must contain at least 2 happy emojis or 1 heart.

      Please resubmit your concern accordingly. 😉

      with love, Corp.inc - Issue Management