Pros and Cons of using Emojis in passwords

eri8

I'd like to hear your opinion on using emojis in the main password to unlock the phone now that we have the emoji button.

My main concern is that if the button, or just an emoji, is removed in a future update, there's no possibility to unlock the phone anymore. That's obviously a risk.

On the up-side this greatly increases keyspace. But is it worth the risk?

Xtreix

eri8 From my point of view, it's a bad idea and there's no advantage to it. A simple emoji like a smiley will be translated as ": )", but others will be more complicated, so you'll need to know them in their ascii forms, it won't increase your security and you're much more likely to make a mistake when typing in your password, stick with simple alphanumeric characters from A to Z, don't use special characters either, it's important to make a compromise between security and convenience and it's no useful if unlocking your device for the first unlock request becomes an ordeal.

areaman

It is an interesting idea, using one strange unicode character means a much larger character set is needed for brute force. How many password crackers are even configured to try 🐿️, ψ, or √ in the search space? The main concern is loosing your ability to enter the character somehow due to a bug or change in keyboard function.

areaman

Ok, lets do some math. Let's say we want 90 bit of entropy. Start with a 15 character random password using upper/lowercase alphanumeric + symbols, about 80 characters. That gives an entropy of E = 15*log₂(80) = 95 bits. With emojis included (now aobut 8,000 characters), you need 7 characters which gives you 91 bits. A sufficiently wierd unicode symbol might get you the full unicode set of 300,000. Now 5 characters gets you 91 bits of entropy, a very modest reduction in length for a huge set.

So basically it lets you have a shorter password, but not dramatically so. It depends on what's faster for you to type. Entropy grows much faster with length than with character set size.