Skip to main content

Convenient Cryptography – Are Emoji the Future of Passwords?

· 5 min read

How important is your data? Home address? Bank information? Social security number? Typically, everyone has some notion of the importance of privacy; it’s why we shut our blinds, lock our doors, build fences.

Modern web-servers do this all too well, but how do they know it’s you? In much the same way as locks secure tangible documents, passwords secure virtual data. Typically, web-servers cryptographically hash (conceal with math) your data, and store it in a database; which is why when you enter your password incorrectly the webpage replies “No match found.” This is because the algorithm hashed your input, and found nothing similar to it.

But who cares? Who cares how Netflix or Facebook stores your password? Consider the ramifications if the database gets hacked, and both usernames and hashed-passwords become public. Will yours be strong enough?

It’s frighteningly easy to crack a password, Computerphile’s video demonstrates just this. TL;DW: the program “hashcat” methodically hashes passkeys under a set of constraints and compares them to a database of passwords.

How can we choose passwords to avoid this brute-force and dictionary-attack nightmare?

We could use passwords like this:

g7X?R+Pfpf9K#(fMmg6V

This password is inherently uncrackable – it’s 20 characters long, with no words nor clever misspellings to which a dictionary could attack. With upper-case and lower-case letters, numbers, and symbols, a password of this length contains (93+52+10)^20 = (155)^20 = 6.4 * 10^43; or 64 tredecillion combinations. This password is invariably secure; and is remarkably overkill for what it achieves. But seriously, who can remember that?!

Password managers like 1Password, make it incredibly easy to create and manage passwords like these – and never look at them, ever again. However, the process is still cumbersome, and distracting. On mobile, logging in involves landing at the password box, exiting the app and opening 1Password, navigating to the proper login, tapping copy, returning to the original app, and pasting. That is far too many steps to be insignificant – but, is arguably the most secure and convenient solution for modern durable cryptographic security.

What about passwords like this:

scone-poetry-artwork

This is a significantly easier to remember. And it’s very easy to memorize by chunking; because you could, for example, imagine artwork or poetry of scones. This is far better than s-c-o-n-e-p-o… You just need to remember how they’re spelled, and how they’re related to your chunking strategies; much better than g7X?R…

Instead of calculating strength by successive letters, numbers and symbols; cryptanalysis and combinatoric processes would state that the calculation involves: (the number of words in the english [or other] language)^(number of words). Global Language Monitor holds that there are 1,025,109.8 words in the english language, which may lack fictitious words for instance, but serves sufficiently for calculation. For a three-worded password, there are (1,025,109.8)^3 = 1.077 * 10^18; or one quintillion combinations – many fewer than the password above, but still sufficiently secure. It’d also be a good idea to choose words that are used less frequently, because hackers are far less likely to check words like precocious or brazen.

This is perhaps the greatest password implementation that I have discovered, that is not without its flaws. Because passwords are typically star**, it becomes very easy to mistype. Did you type scone-poetry-artwork? or svpne-opetry-srtwirk? This is simply a result of moving your finger by a centimeter in either direction. This is why password techniques like this are easy to remember, but difficult to recall accurately.

Last year, British banking service provider Intelligent Environments announced their emoji-based pin-codes. Emoji serve great as pin-codes, but what about passwords? Sequential emoji-based passwords are as memorable as scone-poetry-artwork, trivial to enter, and relatively secure.

Consider this password:

😃🐄🍽🍒🇸🇰

This password, like the one above, tells a coherent, albeit nonsensical story: a happy cow that eats cherries in Slovakia. Instead of having to recall the nuanced spellings of scone-poetry-artwork, you just have to recall the concepts of happy, of cow, of cherries, and of Slovakia – no need to worry about misspellings; memorize a sentence, without spelling it.

According to unicode.org, there are already 1,791 unicode emoji, and growing; most of which are already recognized by iOS and macOS. The number of combinations of a five-character emoji-based password is thus: (1,791)^5 = 1.8*10^16; or 18 quadrillion combinations. Which isn’t as effective as scone-poetry-artwork, but significantly easier to remember.

Let’s put happy-cow-cherries-Slovakia into perspective. The most popular password in 2015 was “123456,” unchanged for one or more years. Here, the number of characters doesn’t matter; 123456 would fall to a dictionary attack in a matter of seconds, if not sooner. Happy-cow-cherries-Slovakia, and emoji-based passwords in general, offer a significant cryptographic advantage over “123456“, or “password.”

The blaring problem with this implementation, is its lack of support. Sure, mobile support is significant, just click the “international” button on the iOS keyboard, and gain access to the majority of emoji available; but desktop support certainly isn’t. Neither MacOS, nor Windows, nor Linux offer any practical access to emoji; although there are a few good chrome extensions. There is a simple fix, however. The webpages simply need access to an emoji-based keyboard API, where entering a password is as simple as tapping, or clicking.

There is no limitation to storing and hashing emoji-based passwords. Operating systems and browsers take an emoji such as “U+1F603” and pre-converts it into a locally stored symbol; which happens before it’s displayed on the webpage. The hash function computes this like any other string, and stores it in a database. By typing in identical emoji, the same string gets hashed, and matched with the database.

You can try it yourself with this chrome plugin, and this hash-calculator.

It’s obvious, emoji will soon replace simple passwords; which would introduce significant security advantages over the overwhelming mass of “password’s, 123456’s, and John87’s.” Stronger passwords will always have a place; but g7X?R what?