Comment

Comment on Security expert reveals surprising way to make your password stronger: use emojis

Sounds like a crappy implementation of the authentication server then, and the sysadmin deserves a paddlin’ for not stripping non-UTF characters (or making sure they work).

My problem with using emojis as part of the password would rather be that while I might be able to enter them on my personal Android phone using the exact keyboard app I have installed right now, I might find myself struggling on a desktop computer or any other phone that doesn’t have this exact keyboard installed. After all, the graphical representation of the same emoji might look different there, and there is a chance I couldn’t even recognize it.

So if anything, I’d say use a non-UTF keyboard like Thai or Chinese, but then a standard character in that specific type. Keyboards layout can be installed across devices and are fully standardized, even if the same character looks slightly different.

source

Sort:hotnew top

Username@feddit.de ⁨1⁩ ⁨year⁩ ago
Stripping characters from passwords, great idea! Right up there with truncating passwords that are too long.

source
- viking@infosec.pub ⁨1⁩ ⁨year⁩ ago
  [deleted]
  source
  - Username@feddit.de ⁨1⁩ ⁨year⁩ ago
    That’s not how any of this works.
    
    First of all, stripping passwords is never okay. You can reject the password and let the user choose a new one, but never just modify it on your own.
    
    Then, if your system is at risk of code injection by certain characters in user input, please just shut it down and never turn it on again.
    
    source
  - ricecake@sh.itjust.works ⁨1⁩ ⁨year⁩ ago
    Doing that is actually a great way to tell attackers that you’re vulnerable to that type of attack.
    
    Bypassing those front end restrictions is super easy, and the attackers don’t need an account or a password to attack you.
    
    It’s like putting a sign that says “lock fragile; don’t tug” on the door to your business.
    
    source
    Dark_Arc@social.packetloss.gg ⁨1⁩ ⁨year⁩ ago
    
    It’s like putting a sign that says “lock fragile; don’t tug” on the door to your business.
    
    That one made me chuckle, it really do be like that 😂
    
    source
  - Honytawk@lemmy.zip ⁨1⁩ ⁨year⁩ ago
    Learn how to sanitise your database inputs first, damnit!
    
    xkcd.com/327/
    
    source
kuneho@lemmy.world ⁨1⁩ ⁨year⁩ ago
also some OSKs put whitespaces after inserting an emoji, some doesn’t. there’s no unified emoji input method yet.

source
lolcatnip@reddthat.com ⁨1⁩ ⁨year⁩ ago
There’s no such thing as a non-UTF8 character. You mean non-UTF8 bytes? If a system sees those, it should reject the entire input, not try to patch it up.

source