You can totally use emojis as passwords. You can probably even make this a policy at your company.

Edit: I thought this was an obvious enough joke, but just to clear things up: Only do this if you hate your company and everyone working there.

  • Skull giver@popplesburger.hilciferous.nl
    link
    fedilink
    arrow-up
    110
    arrow-down
    6
    ·
    1 year ago

    Simple trick to make it hard for Chinese state hackers: include the Taiwanese flag (🇹🇼) in every password you use. Chinese software like Chinese iOS has limitations that prevent typing those characters, and attempts to render it will turn the flag into a general “unsupported unicode” character.

    To make your password even safer, also add the penis hieroglyph (𓂸) which is censored on Windows.

    Add a bunch of zero width spaces in the middle to make copying passwords even harder, and then add a right to left override at the end to make password dumps unreadable.

    It’s not like you should run into this stuff 99% of the time because it’s the year or our gourd 2023 and all but two or three passwords should be stored in your password manager anyway.

    • Fonzie!@ttrpg.network
      link
      fedilink
      arrow-up
      22
      ·
      1 year ago

      To make your password even safer, also add the penis hieroglyph (𓂸) which is censored on Windows.

      I can see it on Windows 10…

      Other than that, I love these ideas you evil bastard!

      • Skull giver@popplesburger.hilciferous.nl
        link
        fedilink
        arrow-up
        12
        arrow-down
        1
        ·
        1 year ago

        Interesting, last time I checked the hieroglyph was censored on Windows 10 and Windows 11. Perhaps the application or website you’re using is pulling the hieroglyph font from some other place, like an online font somewhere?

        Either way, long live the penis hieroglyph, the urinating penis hieroglyph, and the penis covered by a little bit of cloth hieroglyph!

        • Fonzie!@ttrpg.network
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          My software is Firefox…

          This may be a regional or localisation thing, maybe your set up doesn’t have a font for those hieroglyphs, so they appear as “tofu”?

          • Nope, other hieroglyphs from the set appeared just fine last time I checked. I think you had to combine certain characters from that character set for them to show up? Either way, it was specifically a thing with Segoe UI Historic, maybe Microsoft fixed it.

    • Knusper@feddit.de
      link
      fedilink
      arrow-up
      15
      ·
      1 year ago

      To make your password even safer, also add the penis hieroglyph (𓂸) which is censored on Windows.

      When they’re asking you for an extra long password…

      • Acters@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        1 year ago

        You could memorize how many emojis vs. a long number. Say you got 5 💀, 2 🇹🇼, 3 👀, and 7 💩 or take a special number like a pin and attribute emojis to each digit. Doesn’t matter how you remember it, password manager or not, the added digits are great to have as there are more symbols to crack. This makes common passwords less common as there is a possibility that there is a larger pool of common passwords that dilute the probability table.(“flattening” a bell curve) This is a smaller increase in the amount of work needed to go through a dictionary, custom made, standard, or list of leaked common passwords. However, it is beneficial to create large delays in password cracking for situations where the attack is done at a large scale vs. a targeted approach.

        Limiting to integer may not seem like a good idea, but the symbols and digits are all converted to binary either way. So instead of integers, why not just cut the middle man and just have it all be binary in the first place? 128 bits can provide 2^128 unique values to use. A computer can easily make a random number, and the use of a password manager can save it. After this, it turns into a key signing system, [cryptography](https://en.wikipedia.org/wiki/Key_(cryptography\)). In the end, passwords are dumb and we want to use them because we like the feeling of knowing the secret magic phrase/word that can be easily be shared through most forms of communication, especially verbal.

        Sorry about the rant/brain dump. I just wrote whatever came to mind

  • föderal umdrehen@feddit.de
    link
    fedilink
    arrow-up
    101
    ·
    edit-2
    1 year ago

    And here I am avoiding even special characters because I worry about having to enter them on a French keyboard at some point.

    Do be aware that a single emoji is often composed of multiple Unicode characters (e.g. base emoji + gender modifier + skin tone modifier). Entering that on the command line is going to be fun.

    • Xartle@lemmy.ml
      link
      fedilink
      arrow-up
      58
      ·
      1 year ago

      On the upside, you could probably satisfy length and complexity requirements with just one emoji. ;)

    • IsoKiero@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      18
      ·
      1 year ago

      And here I am avoiding even special characters because I worry about having to enter them on a French keyboard at some point.

      I use only special characters that are on the same places with most layouts (at least english and finnish). I suppose passwords with ä or ö might be a bit more resistant to brute-force attacks, but it causes far more problems than it might theoretically solve.

      • PlexSheep@feddit.de
        link
        fedilink
        arrow-up
        10
        ·
        1 year ago

        Longer passwords make your passwords exponentially more secure, in terms of security bits. Length matters.

        • IsoKiero@sopuli.xyz
          link
          fedilink
          English
          arrow-up
          8
          ·
          1 year ago

          True, and for most credentials I of course use password manager, but things like workstation password are still something I need to manually type out and for those 65 random characters aren’t really practical. And for those I use things like ‘HorseBattery69+’ instead of ‘SalainenSäläsänä69+’ since while they (could be) equally long and complex the latter is pretty much impossible to type out if keyboard setting is something else than finnish (swedish works too I think).

      • ö and ä can be risky because there are multiple ways in which they can be encoded. ä can either be the backwards compatible “a with umlaut” or it can be “a” + joiner + “diaeresis”. Software is supposed to normalise this, but it you’ve ever used a non-Latin character in your Windows username you’ll realise how little software actually bothers to normalise input.

        That means you can run into things like “if I enter my password on my PC it works, but if I enter it on my phone it doesn’t, unless I use this specific keyboard app”.

      • PupBiru@kbin.social
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        also nothing that looks the same for the annoying time when you do have to do some analog copying

        no I, l, or | and i usually avoid ‘, “, !, /, \ (which one was it again?) and a few others that i have set in my password manager

    • merde alors@sh.itjust.works
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      that happened to me :/

      i couldn’t login using AZERTY. i thought i fucked up and forgotten my password but no, same letter was encoded as a different character in 2 different languages 🤷

      • föderal umdrehen@feddit.de
        link
        fedilink
        arrow-up
        6
        ·
        edit-2
        1 year ago

        Why not? Pretty much all software from the past twenty years has been UTF-8 compatible. The issue is more that you may at some point be in a situation where you can’t (directly) use your password manager.

  • Tibert@jlai.lu
    link
    fedilink
    arrow-up
    44
    arrow-down
    4
    ·
    edit-2
    1 year ago

    Using emoji is a bad idea.

    Here is why (without a password manager which removes the hard, but not the incompatible) :

    • some emojis can be inexistent on other devices. So you may not be able to log in on another device.
    • An emoji is hard to remember if you need to type them with an alt code, while also being easy to crack.
    • For a computer, and emoji is nothing else than a character. So hard to type, easy to crack.
    • More likely you use an emoji someone else used. So it could maybe be easier to crack.

    And you don’t need to believe me https://nordpass.com/blog/emoji-passwords/

    • deadcade@lemmy.deadca.de
      link
      fedilink
      arrow-up
      27
      ·
      1 year ago

      NordPass is completely incorrect on the "it makes a password easier to “crack” thing.

      I absolutely don’t recommend using emojis in your password, as it is far too easy to get locked out. However, a password containing an emoji is significantly harder to crack.

      Hashing is a process used to calculate a large number based on some input data. If the input is the same, the output is the same. If the input differs just slightly, the output is completely different. This process is mathematically irreversible. Since this (and other techniques) is often used for passwords, to “crack”/bruteforce a password, the attacker has to go through every possible combination of input data, calculate the hash, and check if the hash is the same as the password hash.

      To make the process of bruteforcing a hash quicker, an attacker often makes assumptions about the input data. If they know a password contains 8 characters, and only lowercase letters, this massively narrows down the amount of passwords that need to be hashed and checked. If they know the password contains someones birth year, that too reduces the time to bruteforce a password.

      The more possible characters you have per position in your password, the longer it will take to bruteforce. An 8 character password with just lowercase letters has 208.827.064.576 possible combinations. This sounds like a lot, but it’s often bruteforced rather quickly. Adding uppercase letters and numbers to that, we’re already at 218.340.105.584.896 possible combinations. That’s ~1000x more combinations, and that’s for 8 characters. It’s the difference between bruteforcing taking a day, and taking 1000 days. (Do note an 8 characters lowercase password probably only takes like a few seconds to minutes, not a full day.)

      According to https://emojipedia.org/stats there are 3664 different emojis. Lets say we create an 8 emoji password. (some emojis aren’t one character internally, the same principle still applies.) Just 8 completely randomly chosen emojis. That password would have 32.482.071.647.592.311.234.920.185.856 different possible combinations. That is about 148.768.232.755.857 times more combinations than an 8 character uppercase+lowercase+numbers password. That is the difference between bruteforcing taking a day or taking 407584199331 years.

      The same things as non-emoji passwords still apply, you can make assumptions about which emojis are used. People aren’t entirely random, so chances are higher they used some of the more common emojis. However, that is similar to prioritizing the letter “e” because it is more common. Yes, it’ll probably reduce the time taken to bruteforce a bunch of passwords, but it’s not set in stone that every password will even contain the letter “e”.

      Again, due to the potential of breaking things, locking yourself out, etc. I DO NOT recommend using emojis. Use a password manager with longer passwords.

      However, including an emoji in your password makes it significantly more difficult to bruteforce. As the assumption that the characters in your password are letters, numbers, and symbols no longer holds, which drastically increases the possible number of combinations.

      • deadcade@lemmy.deadca.de
        link
        fedilink
        arrow-up
        12
        ·
        1 year ago

        For somewhat more realistic numbers:

        According to minerstat.com, an NVidia RTX 4090 has a hashrate of 118.07MH/s. This is 118.07 Megahashes per second, or 118.070.000 hashes per second. For a password with only 8 lowercase letters (208.827.064.576 combinations), it would take an RTX 4090 approximately 1769 seconds (or ~30 minutes) to go through all possible combinations. For an 8 character upper+lower+numbers password (218340105584896 combinations) it would take 1849243 seconds, or 21.4 days.

        For an 8 emoji password (32482071647592311234920185856 combinations), it would take 275.108.593.610.504.896.512 seconds, or 8.723.636.276.335 years.

        Lets say a magic prediction algorithm reduces the number of possible combinations in each password to 1 out of every 1 million previously possible combinations. 8 lowercase letters would be cracked instantly, while an 8 emoji password would still take 8.723.636 years.

        • These statistics aren’t entirely correct. There are 3664 emoji, so an 8 emoji password would take ½*3664^8 attempts to crack on average, or 1.6 * 10^28 attempts or about 10^20 seconds on a single 4070. That’s ignoring the fact emoji are more than one single byte; at byte level, an 8 emoji password is probably 24 bytes long, but it can be much longer.

          Now, this number could be reduced by a dictionary attack (⚽ doesn’t get combined with gender or skin tone, generally) and emoji like 🏴󠁧󠁢󠁳󠁣󠁴󠁿 can increase the number (🏴󠁧󠁢󠁳󠁣󠁴󠁿 is one glyph but encoded in 28 bytes!).

          In practice, though, I don’t think people would be able to remember whether they used 💙 or 🩵. That makes it rather unpractical for normal people to use. Also, software isn’t generally tested for this. The Steam Deck had a bug on release where it would crash and reboot if you opened up the emoji selection screen in the password field for initial setup, for example.

          Just adding a single emoji to a password would probably make it uncrackable already, because brute forcing tools like John the Ripper don’t include these unicode ranges by default. Then again, so does adding 𓂸.

          • deadcade@lemmy.deadca.de
            link
            fedilink
            arrow-up
            5
            ·
            1 year ago

            The times I calculated were indeed going over every possible combination, it would take half as long to crack a password on average. Considering reducing the time to 1/1000000 still leaves you with an incomprehensibly large estimated timespan, dividing that by 2 doesn’t do that much for making it brute-forceable.

            I did note it was specifically for 8 emojis, not 8 characters or bytes.

            And yes, it’s very impractical and likely to break things. It’s better and much easier to add extra letters, numbers, and symbols to your password rather than using emojis. Using a password manager is even better.

            As you stated, a single unicode character would mean your password wouldn’t be included with the potential options in almost all brute forcing tools. Whether you use 8 emojis or 1, your password likely won’t get brute forced.

            All of my “emoji password” numbers are if the attacker knows it’s a password containing exactly 8 emojis, and nothing more. Adding a regular symbols+upper+lower+numbers 16 character password would make it even more impossible to brute force.

    • Luccus@feddit.deOP
      link
      fedilink
      arrow-up
      19
      arrow-down
      2
      ·
      edit-2
      1 year ago

      We are sorry, your request could not be processed. 😊

      As you know, at Corp.inc we believe that the most important thing there is, is human connection. ❤️ For this reason, every complaint must contain at least 2 happy emojis or 1 heart.

      Please resubmit your concern accordingly. 😉

      with love, Corp.inc - Issue Management

    • Fonzie!@ttrpg.network
      link
      fedilink
      arrow-up
      6
      ·
      1 year ago

      An emoji is hard to remember if you need to type them with an alt code, while also being easy to crack.

      I hope you meant “easier to crack than to remember it’s ALT code”*

      They’re significantly harder to crack than most other characters, simply as there are much more of them than letters and numbers combined.


      For a computer, and emoji is nothing else than a character.

      This isn’t really true either, they’re always composed of 4 or more bytes, which to a computer is 4 or more characters.

  • code@lemmy.world
    link
    fedilink
    arrow-up
    28
    ·
    1 year ago

    You can also use emojis in computer and user names in active directory. Trust me, the network guys love it!

    • Luccus@feddit.deOP
      link
      fedilink
      arrow-up
      42
      ·
      edit-2
      1 year ago

      The Interrogator: “You think you’re so funny… WHAT. IS. THE. PASSWORD!!!”

      A guy, tied to a chair, bloodied and crying: “Amogus, it’s a drawing of the Amogus guy.”

      The interrogator prepares another round of fists

  • Dandroid@dandroid.app
    link
    fedilink
    arrow-up
    22
    ·
    1 year ago

    You can add emojis to your wifi SSID. I do not recommend it for compatibility reasons, though. Your printer might not like it.

    • Madis@lemm.ee
      link
      fedilink
      arrow-up
      7
      ·
      edit-2
      1 year ago

      In my experience, several devices don’t display the emoji as a correct icon (instead show the rectangle “tofu”), but they still work with it.

      Source: am using an emoji with some normal characters on SSID

      • Dandroid@dandroid.app
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        That’s good! That’s best case scenario, honestly. With how awful printers are, I wouldn’t be surprised if some just crashed.

    • superkret@lemmy.ml
      link
      fedilink
      arrow-up
      6
      ·
      1 year ago

      That’ll make setting up your wifi from the command line all kinds of fun.
      Even my SSID with , and : in it stumps the Debian installer.

        • voxel@sopuli.xyz
          link
          fedilink
          arrow-up
          3
          arrow-down
          1
          ·
          edit-2
          1 year ago

          just plug the printer into your router or something like raspberry pi (or a pc that’s running constantly) with a usb cable if you need that

      • nikoof@feddit.ro
        link
        fedilink
        arrow-up
        21
        arrow-down
        1
        ·
        1 year ago

        Internet access? Never. LAN access though is a different story altogether…

      • Dandroid@dandroid.app
        link
        fedilink
        arrow-up
        11
        ·
        edit-2
        1 year ago

        It is very useful for your printer to have LAN access so you can print jobs wirelessly from your laptop.

        But printer was just an example of a low-tech device. It could have easily been your Nintendo 3DS that might implode if your SSID had an emoji in it.

  • Shatur@lemmy.ml
    link
    fedilink
    arrow-up
    17
    ·
    1 year ago

    I would recommend generating your passwords and storing them in a local password manager like KeePassXC. This way, you only need to remember one password from the database itself and you will not worry if any website leaks its database since all your passwords are unique.

    • Cysioland@lemmygrad.ml
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      This is a password for logging into the system. So pre-password manager. Reminds me that I need to setup myself a Yubikey FIDO2 login