Emojis for passwords

Jun 30, 2015


During the last month, there has been much talk about how successful a system where the password is entirely replaced by emojis might be. The idea of replacing passwords with images or icons is not a new one, but came up again when the company “Intelligent Environments”, a financial software development company, introduced a passcode authentication system using emojis.

The main argument supporting this approach is that the number of passwords from where a password is selected is significantly bigger compared to selecting a PIN number, making it more difficult to guess , and that our brains are designed to remember pictures and not long complicated passwords.

If we take the first argument, the approach followed by the emoji passwords is significantly better than a normal PIN as the number of different keys available to a user is significantly higher. Let’s take as an example a four digit password, such as a traditional PIN number. The number of combinations of different passwords can be found by calculating the space of characters available (0 to 9), powered by the number of characters of the password, in this example four (4). As a result, the available number of different PINs is 104 = 10,000 different PIN numbers (from 0000 to 9999).

The suggested approach for the emoji passcode involves 44 different emoji icons. Following the same approach as the PIN number, the number of different password combinations for a 4 character password would be 444=3,748,096, significantly higher than using numbers. An emoji-based approach could also resolve the problem of easy to guess sequential passwords, such as “1234”. The emoji is a symbol representation and as a result, doesn’t need to follow the same sequential order as numerical digits. Therefore, the sequence in which the emojis are presented to the user can be altered on each launch of the application.

Even though there is much supporting evidence for the first argument, the second argument can only be partially supported. While it is easier to remember images instead of numbers, this applies only to small number of characters. It will always be easier to remember a complex phrase such as “1Re@llyL1keB@n@n@s” than an equivalent 18 character emoji series of characters, when a strong password is required.

So emojis are a great alternative for creating short-length passwords and passcodes, but they cannot replace the main password authentication used by the majority of applications because of their complexity and password length requirements.  Much of our work as pentesters is made so much easier by the use of weak credentials, despite the need for strong passwords being the key (often only) theme in cyber training and awareness programmes.

So what can you do to give yourself a chance against the malicious actor? Adopt these simple steps and you will be well on your way to doing so:

  • use passphrases
  • avoid passwords that are easily associated with you
  • don’t use simple dictionary words or obvious passwords like 123456 (the most common password in 2014) or password (2014’s second most common password)
  • don’t use the same password across sensitive sites like your bank and personal email
  • if you have to write a password down, don’t make it obvious
  • if you use a password vault, try to obscure some of the information in case it gets breached!

Passwords are here to stay, use them wisely.

To find out more about securing your passwords and sensitive data, contact us.

Emojis for passwords