Emoji passwords are weak?

Hi there @matteocontrini

Generally, I'd recommend against using high-Unicode characters, like emoji, as a password (or even part of it). Unicode handling can vary dramatically from website to website.

Using your hypothetical password (😂😂😎😍😎🤨🤑😂) as an example, it's made up of only 8 characters, and of those, there are 3 😂, 2 😎, a 😍, a 🤨, and a 🤑.

If we "translated" those into more typical characters, such as ASCII, that's equivalent to a password of aabcbdea, which is clearly very weak! Watchtower will have seen that there isn't much variation in that hypothetical password and that's why it's classed as weak.

For maximum compatibility, I'd suggest sticking to the standard ASCII set of characters, shown here:

Letters: A-Z and a-z
Numbers: 0-9
Space, entered by pressing the Space bar
Symbols: !"#$%&'()*+,-./:;?@[]^_`{|}~

Particularly when it comes to more complex emoji, including things like skin tone, the way that those emoji could be handled by older systems could be wildly different, so it's (in my view) not worth the gamble.

Hope that clarifies it. I'll be here if you need any further help. :)

— Grey

@matteocontrini

Glad I could help.

(And I don't actually plan to use emojis as a password.)

Phew! Emojis as a password are one of those things that are potentially technically feasible, but could fail in a very disruptive way. For example, you might be able to set a password containing emojis, but because of how the website sanitises its inputs, or stores its passwords, or processes Unicode (or many other factors!) you might end up not being able to sign back in.

My assumption is that a password containing weird Unicode symbols is a safer password

It's possible, but the trade-off with how that's handled by websites isn't worth the risk, in my view. I'd expect the majority of websites would reject a password containing an emoji. Considering how often websites reject particular symbols, emojis could be a bridge too far.

since brute force attacks are probably less likely to have emojis in their alphabet

True, but most passwords are cracked using a list or a dictionary attack. While emojis would make those unlikely, it would only be a matter of time before those started showing up in big lists.

Emojis are maybe an extreme example, but what about Chinese characters, for example?

There is a huge number of Chinese characters, but again, the way those are handled make them tricky to use. They're also difficult to enter, especially in concealed fields.

I thought that a password strength algorithm would take that into consideration. Is it expected that it doesn't? (For the record, even 8 different emojis are considered weak by Watchtower.)

8 different emoji as a password will still only be as random as abcdefgh (or any other 8-character password), so, yes, I'd expect that to appear weak, regardless of the character set.