Did you ever consider allowing password based on emoji ?

thsuw
thsuw
Community Member
edited June 2015 in Lounge

I recently read an article on the use of emoji to replace usual combinations (letter / numbers / special caracteres...).
What's your opinion about it? Would you imagine (coding) providing such option?

source: tripwire.com/state-of-security/security-data-protection/could-emoji-passwords-be-safer-for-online-bank-users/

Comments

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited June 2015

    [Gah! The forum system broke with some of the characters I put in a sample password, and lost everything of my post after that character. I am rewriting the post now.]

    Hi @thsuw. That's an interesting question.

    First of all you (technically) can use any unicode (UTF8) in your 1Password Master Password, so you can have a Master Password that looks like "ᐊᓕᒍᖅ ᓂᕆ➳⥢☜⚽︎☂". But we recommend that you stick with plain 7-bit US ASCII.

    Why stick to 7-bit US-ASCII?

    The simple reason is that 1Password simply looks at your Master Password as a sequence of bytes, but that Unicode (UTF8) is not guaranteed to represent the same sequence of characters as the same sequence of bytes.

    For example an ö entered on a German keyboard may produce a different sequence of bytes then the same character entered into the same computer and system from a different keyboard. So as far as 1Password is concerned, those are not the same password.

    As emoji are rather new to Unicode, the support from various operating systems is only going to make things even less reliable.

    Strength through size

    Also keep in mind that making your Master Password longer will usually do much more for your security than expanding the character set you draw from in constructing a password.

    Let me illustrate with ordinary characters. Suppose we are contrasting a password made up upper and lower case letters from the English alphabet. So 52 different possibilities with passwords that also include digits (so an alphabet of 62 different characters).

    A 15 character random password of letters only has a strength of 85.5 bits. A 15 character random password of letters and digits has a strength of 89.3 bits. So using a larger character set does help, but let's see what happens when we make the first password longer. A 16 character random password of letters only has a strength of 91.2 bits.

    So making that first password longer by one character gives more strength than adding digits to the possible set of characters. In general, you can get more security for the effort by making the password longer than by making it (seem) more complex.

  • hawkmoth
    hawkmoth
    Community Member

    I don't even want to think about typing that on an iOS device!

  • AGAlumB
    AGAlumB
    1Password Alumni

    @hawkmoth: :lol: I feel like iOS is actually easiest. An astonishing number of people were enabling the Japanese emoji keyboard there before it was made a first-class citizen for us Western users.

    While I agree with jpgoldberg that we're not there yet, with the popularity of emoji and its burgeoning standards and support across major platforms, it may be possible sooner than we think! :)

  • hawkmoth
    hawkmoth
    Community Member

    @brenty, this is what I wouldn't know how to enter on an iOS keyboard. Or, for that matter, on a Mac one either.

    Master Password that looks like "ᐊᓕᒍᖅ ᓂᕆ➳⥢☜⚽︎☂".

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited June 2015

    @hawkmoth: The confusing part is that they look just different enough across platforms sometimes to throw you off. ;)

    Also, I think technically those are pictographs (since the forum doesn't allow actual emoji to be posted). Emoji are much more colourful. But the point stands.

  • Megan
    Megan
    1Password Alumni

    @hawkmoth ,

    I'm with you - I wouldn't know where to find those symbols on a keyboard either. :)

  • DaphneP
    DaphneP
    Community Member

    The one concern I would have using emoji as passwords is there is still a bit of flux with them. For example consider the smilie faces... Using older devices the base emoji character would be sent. But newer OSes will send them along with a skin tone modifier character, this means that the "same" character might be different between two different OS versions and almost impossible to enter on one or the other.

  • khad
    khad
    1Password Alumni

    Precisely, @DaphneP.

    The "geeky details" from Should I use special characters in my Master Password?:

    1Password has full Unicode support for Master Passwords and is therefore indifferent to character set and character encoding choice. It will use whatever is passed to it. The difficulty is that different operating systems and environments can hand a different chunk of data to 1Password depending on the system it was entered on, even if it is the “same” from the user’s point of view.

    For example, the glyph ö might be passed to 1Password in different ways by the input system. Sometimes keyboard combinations (Option-U then o on a Mac) will give different results than, say, a single key press on a German keyboard layout. The character looks the same on your screen in either case, but the various input systems might be giving a different sequence of bytes to 1Password.

    While we have not intentionally limited the input for Master Passwords to certain character encodings, there may be cases where what is entered is not what 1Password receives. Unless you stick to a single platform and keyboard layout, the only really safe bet is to stick with old-fashioned US-ASCII.

  • AGAlumB
    AGAlumB
    1Password Alumni

    The one concern I would have using emoji as passwords is there is still a bit of flux with them. For example consider the smilie faces... Using older devices the base emoji character would be sent. But newer OSes will send them along with a skin tone modifier character, this means that the "same" character might be different between two different OS versions and almost impossible to enter on one or the other.

    @DaphneP: Excellent point! I think it would probably be slightly less confusing if the OSes exposed the emoji names (which are standardized), so that one could, say, select "Grinning face with smiling eyes" (wow, some of those are pretty scary looking...) on both Android and Windows by name, regardless of appearance. That might "translate" easier, but as it stands you really can't be completely certain unless you're setting it and entering it later on the same platform.

This discussion has been closed.