💯🐴🔋(umm, staple)
Security expert reveals surprising way to make your password stronger: use emojis
Submitted 1 year ago by Salamendacious@lemmy.world to technology@lemmy.world
Comments
PetDinosaurs@lemmy.world 1 year ago
LemmyFeed@lemmy.world 1 year ago
Correct horse battery staple!
elbarto777@lemmy.world 1 year ago
But was it a 💯 or was it a ✅? Damn neithet. Let’s try with 👍…
TimeSquirrel@kbin.social 1 year ago
Jeez, you're right. We got pens, pencils, stock charts, even those folders with the colored label tabs, but no stapler, the most basic of office equipment.
davidgro@lemmy.world 1 year ago
When it’s added, I expect most implementations will make it red.
kratoz29@lemm.ee 1 year ago
Good luck logging in a Smart TV.
MoogleMaestro@kbin.social 1 year ago
Security Experts probably don't log into smart tvs all that often. Just a guess.
Etterra@lemmy.world 1 year ago
Sorta how car designers never have to actually fix cars.
elbarto777@lemmy.world 1 year ago
Logging in a smart tv? Lol!
Cavemanfreak@lemm.ee 1 year ago
All the apps I’ve used recently use QR codes (or similar measures, like a sync code) that has you log in from the phone, so it should work anyway!
kratoz29@lemm.ee 1 year ago
But not all apps, sadly, I just experimented it with Crunchyroll, and saw my dad struggling with a crappy app called Vix yesterday.
echodot@feddit.uk 1 year ago
In my experience the only one that works with any degree of reliability is YouTube. Even the Netflix one can be fairly intermittent.
Also a lot in the time you’ll go away and the hotel you’re in will have a smart TV and the software was last updated in 2011 so you have to sign in on the device.
thorbot@lemmy.world 1 year ago
Scan the QR code and log in on your phone. Oooh scary
lolcatnip@reddthat.com 1 year ago
I’ve had to manually type in passwords on a TV section times in the just few months because sometimes the login for even the biggest brand-name services is just broken.
AceFuzzLord@lemm.ee 1 year ago
I’d rather staple my forehead to a telephone pole before I ever think about using an emoji in a password. Those things are abominations!
Sterile_Technique@lemmy.world 1 year ago
👆
mojo@lemm.ee 1 year ago
Terrible idea, good luck logging in on desktop.
Salamendacious@lemmy.world 1 year ago
You know there’s someone somewhere who would answer you with, “what’s a desktop?”
mvirts@lemmy.world 1 year ago
I’m still in denial 😅
ChickenAndRice@sh.itjust.works 1 year ago
I began feeling old when re**itors started calling their site an ‘app’
Zellith@kbin.social 1 year ago
WalrusDragonOnABike@kbin.social 1 year ago
For Windows 10/11, its win+; to open the emote window.
danielton@lemmy.frozeninferno.xyz 1 year ago
Cmd+Ctrl+Spacebar on Mac
lud@lemm.ee 1 year ago
That doesn’t work on the desktop last I checked.
But it’s actually possible to set a password with emojis anyways (or at least for domain accounts). I successfully logged in on a VM using the Hyper-V window and pasting the emoji from the host. You can also name an account a single emoji and windows actually handles it decently. It’s very likely to break a lot of programs though.
Garbanzo@lemmy.world 1 year ago
It’s Windows logo key + . (period).
Hamartiogonic@sopuli.xyz 1 year ago
Who needs Reddit when people like you are here on Lemmy.
abhibeckert@lemmy.world 1 year ago
Wait, you can’t type emoji on your desktop?! What is this the 90’s?
BellaDonna@mujico.org 1 year ago
I have no idea how you could either. I don’t know how to create them with s keyboard
sverit@feddit.de 1 year ago
Under Windows press Win+.
kromem@lemmy.world 1 year ago
No. There’s only one piece of advice that should be given to users in 2023 about how to make their passwords stronger:
Use a password manager
Just use 32 character random alphanumeric passwords that are unique for each site (you can do more like 12-16 characters if you’ll ever need to enter manually).
This is it. Stop trying to create clever passwords that you can remember. You aren’t as uniquely creative as you think and there’s been bodies of research into how the various things people do to create passwords that look secure can reduce the generation space so much that they become considerably easier to crack with an intelligent algorithm.
shucks@lemmy.blahaj.zone 1 year ago
I got it to a stable 54% by using an
algorithm
typing f or d for consonants and vowels respectively in sentences I thought up, switching languages regularly,
and a stable 56% by just typing randomly and adjusting my patterns based on the colored output, which might have skewed my results. Certainly a very cool tool, I also liked the explanation linked on the page!
lemmyingly@lemm.ee 1 year ago
How many websites/services don’t support such lengthy passwords these days?
kromem@lemmy.world 1 year ago
Few, but those that don’t you can just shorten the length generated.
xantoxis@lemmy.world 1 year ago
Oh for fuck’s sake, just turn on 2FA
Ertebolle@kbin.social 1 year ago
vamputer@infosec.pub 1 year ago
I like doing entire phrases with some rhymes thrown in. Makes it easier to remember them.
“BonyTonyMoansHe’sOnlyGrownLonely” has a shitload of characters, and a full sentence (even a nonsensical one like that) is more memorable to me than a random handful of disparate words.
The more ridiculous, the better.
scinde@discuss.tchncs.de 1 year ago
You can’t compare a 46 random character password to a password composed out of words, the entropy of each is very different. Your kind of password is vulnerable to dictionary attacks which are way more common and easy than brute forcing every possibility. A 50+ characters unique random password for each service that is stored in a password manager which is encrypted with a 20+ characters random password is the most secure and future proof (for now).
JigglySackles@lemmy.world 1 year ago
Just be sure to throw in symbols and numbers to beef it up. Dictionary words are easier to brute force.
notapantsday@feddit.de 1 year ago
The whole idea is to make it easier for humans to remember and more difficult to brute force. Long passwords are much harder to brute force than complex passwords with lots of special characters. And they’re a lot easier for humans to remember.
There are enough words in any language that it’s virtually impossible to guess the correct four words, even if they’re in the dictionary.
djdadi@lemmy.world 1 year ago
Not 4 of them in a row. Keep in mind the attacker doesn’t know " look for exactly 4 words"
lupec@lemm.ee 1 year ago
I love it, Bitwarden has supported generating passphrase style passwords for a while and it’s basically that. It’s my go-to these days.
ammonium@lemmy.world 1 year ago
Four words is too low these days to protect against gpu bruteforcing
Ookami38@sh.itjust.works 1 year ago
I prefer picking a sentence or so that has meaning to me, using the first letters, and then adjusting for numbers/symbols. So if I wanted to make that a pw, it’d be 1ppa505thm2m,utfl,atafn/5. -looks completely unintelligible, but as long as you can remember the sentence and have some ideas of how you would have encoded it, easy enough to remember/recreate.
Kusimulkku@lemm.ee 1 year ago
Password database
SuddenlyBlowGreen@lemmy.world 1 year ago
Just use a password manager, goddamn.
RagingRobot@lemmy.world 1 year ago
But only save emojis in it lol
fosstulate@iusearchlinux.fyi 1 year ago
Two of my colleagues still use locally stored plaintext for individual work credentials, despite having been shown where the password manager is. Both have accessed their files in front of me. If it’s not in those files it’s saved in the browser (because convenience is a hell of a drug). Now you start to see why discrete managers have a hard time, even amongst technology workers.
spark947@lemm.ee 1 year ago
Until you get to a prompt that doesn’t support unicode.
jbk@discuss.tchncs.de 1 year ago
What’s up with all the hate for emojis lmao
Polar@lemmy.ca 1 year ago
Parasocial people.
It was the same on Reddit. All of the people who despised emojis were often posting in really cringe and incel related subs.
My use of emojis sky rocketed after I started dating. They are fun and convey emotion really well.
pewgar_seemsimandroid@lemmy.blahaj.zone 1 year ago
💀💀💀💀💀💀💀🗿🗿🗿🗿🗿🗿🗿🚣👍👍👍👍👍👍🔥🔥🔥🔥🔥🔥🔥 sigma
the emojis and text above are a part of the reason
Snowpix@lemmy.ca 1 year ago
People who use them tend to spam the hell out of them. Like, 8 of the same emoji. And they use them every other sentence. It’s obnoxious, you only need one or two to get the point across.
BrianTheeBiscuiteer@lemmy.world 1 year ago
Sounds great where it works but I’m sure most systems would reject an emoji or make you type out some overly complex password in addition to your emoji.
marx2k@lemmy.world 1 year ago
…no
originalucifer@moist.catsweat.com 1 year ago
this feeeels like the stupidest idea ive ever heard.. its not like theres really an emojii standard applied as universally as text, across devices or applications... the transforms that happen... this seems fraught with terribleness
am i missing something?
sarmale@lemmy.zip 1 year ago
Can you write any unicode cahracter? Gotta make passwords in cuneiform
Cosmos7349@lemmy.world 1 year ago
As a software DEVELOPER who has worked with a lot of symbols and emoji… PLEASE DON’T DO THIS.
Software doesn’t all handle these symbols the same way, and without tech knowledge, it’s very possible to not be able to log in easily. I’m kinda drunk rn, but I’ll try to explain…
For example… skintone emojis are actually two characters, a face and a skin tone modifier. I think those ones are always two characters but some of these “multi-char” characters can be normalized into a single character. But not everyone handles this the same way. For example, Safari might normalize the emoji, but Firefox might treat it as two separate characters… And this would probably make your password not match. But basically… text has lots of edge cases; I’d advise to use normal passwords please (also maybe a password manager)
lazycouchpotato@lemmy.world 1 year ago
I disagree with them.
- Emojis do not look the same on all platforms. Let’s take
white large square⬜ for example. Emojipedia shows what that emoji looks like on 26 different vendors. Some are pure white, some are shades are grey, and then there’s Microsoft who in its usual infinite wisdom decided it should be purple.large yellow square🟨 is a tossup between actually yellow and orange. This issue is also exacerbated with different displays displaying colours differently. Factors such as color accuracy, viewing angle, brightness affect how you perceive colour.
Image
This also extends to face emojis.
grinning face with big eyes(Emojipedia link) isn’t that easy to tell apart fromgrinning eyes(Emojipedia link)- Emoji support depends on your device. I’m on Windows 11 22H2 which recently added support for
shaking face🫨. Problem is, Windows’ emoji pickerWin+.(period) doesn’t have it. Trying to login on a friends phone that’s still on iOS 15 or Android 12? Enjoy manually copy/pasting the emoji from Emojipedia.
correct horse battery staple on the other hand looks the same on all devices.
- Emojis do not look the same on all platforms. Let’s take
Treczoks@lemm.ee 1 year ago
Completely useless from many sources where I have to rely on a keyboard for entering passwords.
PlexSheep@feddit.de 1 year ago
Just use longer passwords?
SirEDCaLot@lemmy.fmhy.net 1 year ago
Last week or two I’ve been learning more about passkeys, and it makes threads like this seem ridiculously out of date. Given the choice between emojis and passwords and hard crypto, I’ll take the crypto.
Arfman@aussie.zone 1 year ago
Long time ago a friend of mine used a set of key press to generate a smiley face to put in his bios which ended up in a situation where he was not able to type in the same smiley face into the password prompt. I had to teach him to reset his bios battery to get back into the bios.
Agent641@lemmy.world 1 year ago
Pick four long words at random. Assign each of these to the four quadrants of the alphabet.
A-F - equipment
G-M - triumphant
N-S - sampling
U-Z - fatigued
Pick one number:
4
Now, take the first letter of the service that the password is for, and that selects your quadrant word. Take the number of letters in the service and multiply it against your number. Take the last letter of the service, and on your querty keyboard, move all the way to the right of thst line to select the first symbol there. Thats your unique password thats salted with yo ur personal words and number.
Facebook
Aceticon@lemmy.world 1 year ago
Grab a sentence you know well.
Pick just the first letter of each word.
It will look like it’s random - for example “I like my lemmy only with beans and bacon” becomes “ilmlowbab” - and it comes from a far vaster possibility space (ever possible sentence and it need not even make sense) than that of “words in the English language and derived words” so it’s a lot harder to try to crack with a dictionary attack.
Also it works in everything that takes ASCII charactes (i.e. everything but numeric only pin codes).
magnetosphere@kbin.social 1 year ago
Anyone who takes any kind of advice from the fucking New York Post deserves what they get.
Technus@lemmy.zip 1 year ago
I wonder how often curse words or obscure slang are included in dictionary attacks.
sour@kbin.social 1 year ago
am already use:
._.
kapx132@lemmy.world 1 year ago
or just use special characters of languages like: ą, ę, ø, č
Somewhereunknown7351@kbin.social 1 year ago
That’s the worst idea i have ever heard
Extrasvhx9he@lemmy.today 1 year ago
Havent read the article yet but If you have to manually input just stick to 6 or more randomly generated words (different languages if you would like to). A keyboard won’t always have options for emojis.
jordanlund@lemmy.world 1 year ago
Emojis are known to break systems in certain circumstances due to the way they’re interpreted in certain character sets.
I guarantee people doing this will not only lock out their own accounts, but may even freeze some authentication servers.
pcmag.com/…/want-to-brick-an-iphone-send-some-emo…
itechpost.com/…/brick-iphone-using-emojis-plus-tr…
abhibeckert@lemmy.world 1 year ago
The website should feeding your password into bcrypt or similar. The output will be a fixed length binary value or hex string.
NightAuthor@lemmy.world 1 year ago
Can you still log in to wellsfargo accounts using the T9 translation of your password?
lemmyvore@feddit.nl 1 year ago
It’s not the processing on the server that’s the problem. To reach the server the password needs to go through several layers of character encoding, if any of them fails the server will receive something different from what you meant. And when you try to login from another device and the layers will be different you’ll effectively be sending a different password.
Vilian@lemmy.ca 1 year ago
make one account with emoji password to test their system, if it break, good, go create hour account somewhere else
Arin@kbin.social 1 year ago
auth servers breaking from emojis would be hilarious, pretty sure that's why older accounts only allow certain symbols in passwords
jordanlund@lemmy.world 1 year ago
“Your password ‘🤣umådbrø⁉️’ is breaking our server. Please change it.”
Kusimulkku@lemm.ee 1 year ago
If some auth server breaks because I put emojis in my password then that’s right and deserved
viking@infosec.pub 1 year ago
Sounds like a crappy implementation of the authentication server then, and the sysadmin deserves a paddlin’ for not stripping non-UTF characters (or making sure they work).
My problem with using emojis as part of the password would rather be that while I might be able to enter them on my personal Android phone using the exact keyboard app I have installed right now, I might find myself struggling on a desktop computer or any other phone that doesn’t have this exact keyboard installed. After all, the graphical representation of the same emoji might look different there, and there is a chance I couldn’t even recognize it.
So if anything, I’d say use a non-UTF keyboard like Thai or Chinese, but then a standard character in that specific type. Keyboards layout can be installed across devices and are fully standardized, even if the same character looks slightly different.
Username@feddit.de 1 year ago
Stripping characters from passwords, great idea! Right up there with truncating passwords that are too long.
kuneho@lemmy.world 1 year ago
also some OSKs put whitespaces after inserting an emoji, some doesn’t. there’s no unified emoji input method yet.
lolcatnip@reddthat.com 1 year ago
There’s no such thing as a non-UTF8 character. You mean non-UTF8 bytes? If a system sees those, it should reject the entire input, not try to patch it up.
50gp@kbin.social 1 year ago
and there are many trash implementations that dont recognise something like :emoticon: and turn it into emoji, no no you have to use emoji keyboard to type them
lolcatnip@reddthat.com 1 year ago
OTOH, there is only one character set that matters, and any system using a different one is, by that fact alone, broken.
jordanlund@lemmy.world 1 year ago
Pick one :)
www.iana.org/assignments/…/character-sets.xhtml
Salamendacious@lemmy.world 1 year ago
That only applies to iphones that came out 2016 or earlier and we’re never updated right?
Funwayguy@lemmy.world 1 year ago
Hahaha, I wish.
You would be amazed at how ancient and poorly maintained many web servers are on the modern internet. SQL injection still consistently make the top 3 web app vulnerabilities as of 2021. If that isn’t being sanitized properly I don’t expect emojis would be handled much better.
jordanlund@lemmy.world 1 year ago
For that particular bug, yes, but there have been many other variations on that theme and not limited to Apple tech. I’ve seen it nuke an email send fir example because the SMTP server choked on emojis placed in a subject, to, or from line.