Emojis are known to break systems in certain circumstances due to the way they’re interpreted in certain character sets.
I guarantee people doing this will not only lock out their own accounts, but may even freeze some authentication servers.
https://www.pcmag.com/news/want-to-brick-an-iphone-send-some-emojis
The website should feed your password straight into a well known hashing algorithm or key derivation function that has undergone a decade or more of careful scrutiny, without any other processing. The output will usually be a fixed length base64 or hex string.
There’s a short list of about three options that are currently considered acceptable, and a few more are probably fine but are a little too easy to crack these days (e.g. anything that shares the same math as bitcoin… what if someone throws a mining datacentre at your password?)
If the site breaks, maybe you don’t to be a customer of that service.
Can you still log in to wellsfargo accounts using the T9 translation of your password?
It’s not the processing on the server that’s the problem. To reach the server the password needs to go through several layers of character encoding, if any of them fails the server will receive something different from what you meant. And when you try to login from another device and the layers will be different you’ll effectively be sending a different password.
make one account with emoji password to test their system, if it break, good, go create hour account somewhere else
Sounds like a crappy implementation of the authentication server then, and the sysadmin deserves a paddlin’ for not stripping non-UTF characters (or making sure they work).
My problem with using emojis as part of the password would rather be that while I might be able to enter them on my personal Android phone using the exact keyboard app I have installed right now, I might find myself struggling on a desktop computer or any other phone that doesn’t have this exact keyboard installed. After all, the graphical representation of the same emoji might look different there, and there is a chance I couldn’t even recognize it.
So if anything, I’d say use a non-UTF keyboard like Thai or Chinese, but then a standard character in that specific type. Keyboards layout can be installed across devices and are fully standardized, even if the same character looks slightly different.
Stripping characters from passwords, great idea! Right up there with truncating passwords that are too long.
Not from passwords, from password fields. In the same way that ", ’ and various types of brackets can’t be used since they could be used for code injections.
That’s not how any of this works.
First of all, stripping passwords is never okay. You can reject the password and let the user choose a new one, but never just modify it on your own.
Then, if your system is at risk of code injection by certain characters in user input, please just shut it down and never turn it on again.
Doing that is actually a great way to tell attackers that you’re vulnerable to that type of attack.
Bypassing those front end restrictions is super easy, and the attackers don’t need an account or a password to attack you.
It’s like putting a sign that says “lock fragile; don’t tug” on the door to your business.
It’s like putting a sign that says “lock fragile; don’t tug” on the door to your business.
That one made me chuckle, it really do be like that 😂
Learn how to sanitise your database inputs first, damnit!
also some OSKs put whitespaces after inserting an emoji, some doesn’t. there’s no unified emoji input method yet.
If some auth server breaks because I put emojis in my password then that’s right and deserved
auth servers breaking from emojis would be hilarious, pretty sure that’s why older auth servers only allow certain symbols in passwords
OTOH, there is only one character set that matters, and any system using a different one is, by that fact alone, broken.
and there are many trash implementations that dont recognise something like :emoticon: as shortcut and turn it into emoji, no no you have to use emoji keyboard to type them
Good luck logging in a Smart TV.
Security Experts probably don’t log into smart tvs all that often. Just a guess.
All the apps I’ve used recently use QR codes (or similar measures, like a sync code) that has you log in from the phone, so it should work anyway!
In my experience the only one that works with any degree of reliability is YouTube. Even the Netflix one can be fairly intermittent.
Also a lot in the time you’ll go away and the hotel you’re in will have a smart TV and the software was last updated in 2011 so you have to sign in on the device.
💯🐴🔋(umm, staple)
Jeez, you’re right. We got pens, pencils, stock charts, even those folders with the colored label tabs, but no stapler, the most basic of office equipment.
When it’s added, I expect most implementations will make it red.
I want it to be pregnant
Preganant?
Security expert reveals surprising way to induce headaches
Security experts don’t actually have to work on corporate IT systems.
So you’ve set your password to contain a 😇 have you?
Ok so how are you going to type it on this desktop computer keyboard here…
Yeah I thought not.I’ll just go reset your password shall I?
win+.
(works on kde too afaik…?)I’ll let you be in charge of teaching them that. I literally had to talk someone through how to type an exclamation mark today, I don’t think they’re going to handle the extended Unicode character set.
I’d rather staple my forehead to a telephone pole before I ever think about using an emoji in a password. Those things are abominations!
Out of curiosity, what makes you say so?
Edit: Oh. Did a “Wooosh” happen to me right now? Are you being ironic and referring to the XKCD thing about how to make a secure password using words in phrases?
👆
Terrible idea, good luck logging in on desktop.
You know there’s someone somewhere who would answer you with, “what’s a desktop?”
Here is an alternative Piped link(s):
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
Listen here, you little shit
Dammit I’d forgotten that awful commercial. Angry upvote.
deleted by creator
Wait, you can’t type emoji on your desktop? I feel sorry for you. 🥺
I have no idea how you could either. I don’t know how to create them with s keyboard
Winkey + .
Works on Windows and some Linux distros by default
Firefox has an addon that opens up an emoji panel.
For Windows 10/11, its win+; to open the emote window.
Cmd+Ctrl+Spacebar on Mac
Who needs Reddit when people like you are here on Lemmy.
It’s Windows logo key + . (period).
That doesn’t work on the desktop last I checked.
But it’s actually possible to set a password with emojis anyways (or at least for domain accounts). I successfully logged in on a VM using the Hyper-V window and pasting the emoji from the host. You can also name an account a single emoji and windows actually handles it decently. It’s very likely to break a lot of programs though.
Its worked on desktops for years and works right now. As someone else pointed out “win+.” works as well. Or maybe its supposed to be the only way it works and mine is bugged? Idk. I found it via trying to lock my desktop and mistyping.
xkcd still has the best approach to this; four random common words
I like doing entire phrases with some rhymes thrown in. Makes it easier to remember them.
“BonyTonyMoansHe’sOnlyGrownLonely” has a shitload of characters, and a full sentence (even a nonsensical one like that) is more memorable to me than a random handful of disparate words.
The more ridiculous, the better. (And, naturally, don’t forget your numbers and symbols)
You can’t compare a 46 random character password to a password composed out of words, the entropy of each is very different. Your kind of password is vulnerable to dictionary attacks which are way more common and easy than brute forcing every possibility. A 50+ characters unique random password for each service that is stored in a password manager which is encrypted with a 20+ characters random password is the most secure and future proof (for now).
Dictionary attacks aren’t some magic bullet. There are a lot of english words and just four of them IS comparable in cracking difficult to a standard 8-char password that is as random as you can make it. There are a lot more words than there are symbols. Four words is obviously not as good as 46 totally random chars
Dictionary attacks are definitely not a magic bullet, they require a lot of processing power, just like any other brute-force attack, but not more because of their longer length, as has been implied.
True, there are a lot of english words, but the amount of common words is relatively small. Most people aren’t going to choose a password like “MachicolationRemonstranceCircumambulationSchadenfreude”, even if it were generated for them (which is unlikely).
Sure, it is comparable to a standard 8 characters passward, but even that kind of password is verging on the insecure (it is the absolute minimum, which should be avoided when possible).
There are also a lot of symbols when you count emojies and the entire Unicode standard.
Four words is too low these days to protect against gpu bruteforcing
I love it, Bitwarden has supported generating passphrase style passwords for a while and it’s basically that. It’s my go-to these days.
I prefer picking a sentence or so that has meaning to me, using the first letters, and then adjusting for numbers/symbols. So if I wanted to make that a pw, it’d be 1ppa505thm2m,utfl,atafn/5. -looks completely unintelligible, but as long as you can remember the sentence and have some ideas of how you would have encoded it, easy enough to remember/recreate.
good luck remembering all of those for every account you create, though.
Why are you not using a password manager
I want cross-device
I am, and I’m not jumping through hoops of making up a password sentence for every new website. I let Bitwarden take care of that for me.
It’s as easy to remember a bunch of those as it is remembering 4 random words with no association, I think. And besides, just use that for the big, important, pws likw your pw manager.
Password database
Until you get to a prompt that doesn’t support unicode.
As a software developer who has worked with a lot of symbols and emoji… PLEASE DON’T DO THIS.
Software doesn’t all handle these symbols the same way, and without tech knowledge (or even with, but having an understanding why) , it’s very possible to not be able to log in easily. I’m kinda drunk rn, but I’ll try to explain as simply as I can…
For example… skintone emojis are actually two characters, a face and a skin tone modifier. I think those ones are always two characters but some of these “multi-char” characters can be normalized into a single character. But not everyone handles this the same way. For example, Safari might normalize the emoji, but Firefox might treat it as two separate characters… And this would probably make your password not match. But basically… text has lots of edge cases; I’d advise to use normal passwords please (also maybe a password manager)
Thanks for the feedback! I’ll be sure to use non-printing characters instead of emojis for my passwords! (They can’t guess it if it’s invisible right?)
In all seriousness, why are people so adverse to using password managers? People are plenty willing to use the browsers built-in “remind my password” instead of a proper password solution such as bitwarden…
this feeeels like the stupidest idea ive ever heard… its not like theres really an emojii standard applied as universally as text, across devices or applications… the transforms that happen… this seems fraught with terribleness
am i missing something?
Emojis are standardized exactly the same way as text is, both are defined by the unicode standard. They might not be rendered uniformly, the same way that text rendering depends on the font.
If this isn’t satire, that’s literally what Unicode and UTF-8 are
Yes there is,
. I would say most modern devices/systems utilize it too. The reason they may look different from device to device is because the presentation style can be modified by vendors, somewhat similar to using different fonts to make letters look styled.
Completely useless from many sources where I have to rely on a keyboard for entering passwords.
Most modern OSes feature emoji pickers though
What part of the word “Keyboard” did you not understand?
Idk, mine can. https://docs.qmk.fm/#/feature_unicode
As it said in the document: With a little help from your OS. So I want to log into lemm.ee from another persons computer. I do have not my own keyboard, I neither have my additional drivers or extensions or whatever. Oops. No login.
Can you write any unicode cahracter? Gotta make passwords in cuneiform
What’s up with all the hate for emojis lmao
Back in my day we only had 95 printable characters, and that’s the way we liked it! /s
💀💀💀💀💀💀💀🗿🗿🗿🗿🗿🗿🗿🚣👍👍👍👍👍👍🔥🔥🔥🔥🔥🔥🔥 sigma
the emojis and text above are a part of the reason
People who use them tend to spam the hell out of them. Like, 8 of the same emoji. And they use them every other sentence. It’s obnoxious, you only need one or two to get the point across.
Antisocial people.
It was the same on Reddit. All of the people who despised emojis were often posting in really cringe and incel related subs.
My use of emojis sky rocketed after I started dating. They are fun and convey emotion really well.
I’m convinced emojis are what has been missing from language for a long time. They are great way to portray emotions through texts, which otherwise could not be achieved.
This way there is a difference between:
“You are so amazing 😁👍”
and
"You are so amazing 🙄 "
"You are so amazing 🙄 "
Greatest put down ever.
Same. I never used emojis until I met my SO, and then my emoji use skyrocketed. They’re a nice way of succinctly articulating some thoughts and emotions.
If I’m going to be relaying through to people strictly over text as much as I do these days, I better have a way to articulate it with the right emotional range to match my sparkling personality ✨
I wonder how often curse words or obscure slang are included in dictionary attacks.
What about non English words, or slang? That would be interesting information to have.
Anyone who takes any kind of advice from the fucking New York Post deserves what they get.