Emoji passwords are weak?
Some websites allow passwords to be composed exclusively of emojis. For example, "๐๐๐๐๐๐คจ๐ค๐" is a legal password on Reddit.
Watchtower says that the password above is "weak". Is it, though? I would say that it's probably the strongest password I've ever seen haha
If there's some theoretical foundation in what I'm saying, the strength algorithm could maybe be adjusted to take into account that there could be obscure Unicode symbols in the password.
Thanks!
1Password Version: 1Password for Windows 8.9.10 (80910043)
Extension Version: Not Provided
OS Version: Windows
Browser:_ Not Provided
Comments
-
Hi there @matteocontrini
Generally, I'd recommend against using high-Unicode characters, like emoji, as a password (or even part of it). Unicode handling can vary dramatically from website to website.
Using your hypothetical password (๐๐๐๐๐๐คจ๐ค๐) as an example, it's made up of only 8 characters, and of those, there are 3 ๐, 2 ๐, a ๐, a ๐คจ, and a ๐ค.
If we "translated" those into more typical characters, such as ASCII, that's equivalent to a password of
aabcbdea
, which is clearly very weak! Watchtower will have seen that there isn't much variation in that hypothetical password and that's why it's classed as weak.For maximum compatibility, I'd suggest sticking to the standard ASCII set of characters, shown here:
Letters: A-Z and a-z
Numbers: 0-9
Space, entered by pressing the Space bar
Symbols: !"#$%&'()*+,-./:;?@[]^_`{|}~Particularly when it comes to more complex emoji, including things like skin tone, the way that those emoji could be handled by older systems could be wildly different, so it's (in my view) not worth the gamble.
Hope that clarifies it. I'll be here if you need any further help. :)
โ Grey
0 -
@GreyM1P thanks for the reply! I understand your recommendation, but my question was more about the security of the password, not the compatibility. (And I don't actually plan to use emojis as a password.)
My assumption is that a password containing weird Unicode symbols is a safer password, since brute force attacks are probably less likely to have emojis in their alphabet. Emojis are maybe an extreme example, but what about Chinese characters, for example? That's more likely to happen, I think. And I thought that a password strength algorithm would take that into consideration. Is it expected that it doesn't?
(For the record, even 8 different emojis are considered weak by Watchtower.)
Thanks again.
0 -
Glad I could help.
(And I don't actually plan to use emojis as a password.)
Phew! Emojis as a password are one of those things that are potentially technically feasible, but could fail in a very disruptive way. For example, you might be able to set a password containing emojis, but because of how the website sanitises its inputs, or stores its passwords, or processes Unicode (or many other factors!) you might end up not being able to sign back in.
My assumption is that a password containing weird Unicode symbols is a safer password
It's possible, but the trade-off with how that's handled by websites isn't worth the risk, in my view. I'd expect the majority of websites would reject a password containing an emoji. Considering how often websites reject particular symbols, emojis could be a bridge too far.
since brute force attacks are probably less likely to have emojis in their alphabet
True, but most passwords are cracked using a list or a dictionary attack. While emojis would make those unlikely, it would only be a matter of time before those started showing up in big lists.
Emojis are maybe an extreme example, but what about Chinese characters, for example?
There is a huge number of Chinese characters, but again, the way those are handled make them tricky to use. They're also difficult to enter, especially in concealed fields.
I thought that a password strength algorithm would take that into consideration. Is it expected that it doesn't? (For the record, even 8 different emojis are considered weak by Watchtower.)
8 different emoji as a password will still only be as random as
abcdefgh
(or any other 8-character password), so, yes, I'd expect that to appear weak, regardless of the character set.0