Technus@lemmy.zip
on 03 Nov 2023 00:15
nextcollapse
I wonder how often curse words or obscure slang are included in dictionary attacks.
Salamendacious@lemmy.world
on 03 Nov 2023 00:29
collapse
What about non English words, or slang? That would be interesting information to have.
NeoNachtwaechter@lemmy.world
on 03 Nov 2023 06:46
collapse
Very smart idea, because everybody knows that dictionaries exist only in the English language /s
Kusimulkku@lemm.ee
on 03 Nov 2023 07:08
nextcollapse
What do you imagine is the most used dictionary for dictionary attack? English must be up there, meanwhile Finnish for example isn’t going to be quite as popular
NeoNachtwaechter@lemmy.world
on 03 Nov 2023 09:09
collapse
What do you imagine is the most used dictionary for dictionary attack?
Klingon, obviously. Every hacker who ever wants to become famous must be fluent in Klingon first, as we all know.
Salamendacious@lemmy.world
on 03 Nov 2023 07:42
collapse
Lots of languages have local dialects and those dialects themselves can have their own slang. In Italy the local dialects can differ quite a bit. Do you think there are dictionaries for all the local slang in the Sardinian dialect? Lots of Italian maps don’t bother to even include Sardinia.
originalucifer@moist.catsweat.com
on 03 Nov 2023 00:17
nextcollapse
this feeeels like the stupidest idea ive ever heard.. its not like theres really an emojii standard applied as universally as text, across devices or applications... the transforms that happen... this seems fraught with terribleness
am i missing something?
Salamendacious@lemmy.world
on 03 Nov 2023 00:28
nextcollapse
I thought Emojis were a set standard but how they’re rendered can change. So whatever it is that identifies the heart emoji is universal but iPhone, Samsung, Google, etc might render that heart differently.
abhibeckert@lemmy.world
on 03 Nov 2023 01:02
collapse
How they’re rendered is a set standard now too. For example there was a bit of an issue where the gun emoji could be a water pistol pointing left or a revolver pointing right… and when it was combined with a person emoji… that could lead to… issues. It’s a water pistol everywhere now.
Salamendacious@lemmy.world
on 03 Nov 2023 01:11
nextcollapse
You mean Apple changed it to a water gun and everyone followed suite as to not have an issue?
Thanks, America, and your mass shootings.
greybeard@lemmy.one
on 03 Nov 2023 00:42
nextcollapse
Although I agree it is risky, emoji are unicode characters, just like any other unicode character. If, and that’s a big if, the programmers do their job right, it shouldn’t matter if you use an emoji or a random kanji. It’s all just another character. That said, I don’t trust programmers enough to run the risk. Your password might work fine on the website but then fail on the mobile app.
Someone else said “good luck on the desktop”, but Windows actually has an emoji picker built right in. Win+. will bring it up. Another fun fact, usernames and computer names both support the full unicode set on Windows, including emoji. Some fun can be had with that knowledge. I haven’t tried it on Linux or MacOS yet.
MonkeyKhan@feddit.de
on 03 Nov 2023 00:46
nextcollapse
Emojis are standardized exactly the same way as text is, both are defined by the unicode standard. They might not be rendered uniformly, the same way that text rendering depends on the font.
HunterFrisby@lemmy.ml
on 03 Nov 2023 00:52
nextcollapse
Yes there is, <img alt="Unicode (Emoji’s)" src="https://unicode.org/faq/emoji_dingbats.html">. I would say most modern devices/systems utilize it too. The reason they may look different from device to device is because the presentation style can be modified by vendors, somewhat similar to using different fonts to make letters look styled.
Supermariofan67@programming.dev
on 03 Nov 2023 02:31
collapse
If this isn’t satire, that’s literally what Unicode and UTF-8 are
But it’s actually possible to set a password with emojis anyways (or at least for domain accounts). I successfully logged in on a VM using the Hyper-V window and pasting the emoji from the host. You can also name an account a single emoji and windows actually handles it decently. It’s very likely to break a lot of programs though.
WalrusDragonOnABike@kbin.social
on 03 Nov 2023 16:16
nextcollapse
Its worked on desktops for years and works right now. As someone else pointed out "win+." works as well. Or maybe its supposed to be the only way it works and mine is bugged? Idk. I found it via trying to lock my desktop and mistyping.
Oh I meant the lock screen, sorry.
As far as I know it works everywhere except the lock screen.
WalrusDragonOnABike@kbin.social
on 03 Nov 2023 20:06
collapse
oh, I never tried. There goes that option. Wonder if that was intention to prevent people from trying to use emoji passwords because they didn't trust windows to handle it.
It’s probably just because the emoji panel is a program and the lock screen has very limited or any capabilities to run any programs. And trying to make it the emoji panel to function on the lock screen is pretty much a waste of time anyways.
Hamartiogonic@sopuli.xyz
on 03 Nov 2023 18:41
collapse
Who needs Reddit when people like you are here on Lemmy.
Extrasvhx9he@lemmy.today
on 03 Nov 2023 00:23
nextcollapse
Havent read the article yet but If you have to manually input just stick to 6 or more randomly generated words (different languages if you would like to). A keyboard won’t always have options for emojis. Your password manager’s autofill/autotype everywhere else and 2fa where you can thats it dont overcomplicate things thats a good way to screw yourself over
jordanlund@lemmy.world
on 03 Nov 2023 00:30
nextcollapse
Emojis are known to break systems in certain circumstances due to the way they’re interpreted in certain character sets.
I guarantee people doing this will not only lock out their own accounts, but may even freeze some authentication servers.
Salamendacious@lemmy.world
on 03 Nov 2023 00:34
nextcollapse
That only applies to iphones that came out 2016 or earlier and we’re never updated right?
jordanlund@lemmy.world
on 03 Nov 2023 00:46
nextcollapse
For that particular bug, yes, but there have been many other variations on that theme and not limited to Apple tech. I’ve seen it nuke an email send for example because the SMTP server choked on emojis placed in a subject, to, or from line.
Salamendacious@lemmy.world
on 03 Nov 2023 01:19
collapse
Thanks I appreciate the clarification
Funwayguy@lemmy.world
on 03 Nov 2023 00:48
collapse
Hahaha, I wish.
You would be amazed at how ancient and poorly maintained many web servers are on the modern internet. SQL injection still consistently make the top 3 web app vulnerabilities as of 2021. If that isn’t being sanitized properly I don’t expect emojis would be handled much better.
Salamendacious@lemmy.world
on 03 Nov 2023 01:18
collapse
Thanks I wasn’t aware of that
Arin@kbin.social
on 03 Nov 2023 00:45
nextcollapse
auth servers breaking from emojis would be hilarious, pretty sure that's why older auth servers only allow certain symbols in passwords
jordanlund@lemmy.world
on 03 Nov 2023 01:10
collapse
“Your password ‘🤣umådbrø⁉️’ is breaking our server. Please change it.”
abhibeckert@lemmy.world
on 03 Nov 2023 00:50
nextcollapse
The website should feed your password straight into a well known hashing algorithm or key derivation function that has undergone a decade or more of careful scrutiny, without any other processing. The output will usually be a fixed length base64 or hex string.
There’s a short list of about three options that are currently considered acceptable, and a few more are probably fine but are a little too easy to crack these days (e.g. anything that shares the same math as bitcoin… what if someone throws a mining datacentre at your password?)
If the site breaks, maybe you don’t to be a customer of that service.
It’s not the processing on the server that’s the problem. To reach the server the password needs to go through several layers of character encoding, if any of them fails the server will receive something different from what you meant. And when you try to login from another device and the layers will be different you’ll effectively be sending a different password.
ricecake@sh.itjust.works
on 03 Nov 2023 13:31
nextcollapse
The same character encoding that would break emoji would break a significant portion of the words names, so if your system can’t handle it, then you deserve all the trouble that you run into.
Unicode isn’t that hard.
Dark_Arc@social.packetloss.gg
on 04 Nov 2023 01:58
collapse
You’re not wrong, but some systems, especially smaller ones are intended for English-only situations (or originally were) so non-English language situations might not be as well tested and/or may cause things to break.
Remember there are some sites that still refuse service if you put a " in your password. I’m not saying it’s right, but it’s a definite possibility.
lolcatnip@reddthat.com
on 03 Nov 2023 16:10
collapse
It’s not the 90s anymore.
Dark_Arc@social.packetloss.gg
on 04 Nov 2023 01:55
collapse
That is very much not a 90s problem. Especially if the company has a website and an app or is a small company not thinking about these things.
In theory this shouldn’t be an issue but it definitely could be an issue on certain services.
50gp@kbin.social
on 03 Nov 2023 01:14
nextcollapse
and there are many trash implementations that dont recognise something like :emoticon: as shortcut and turn it into emoji, no no you have to use emoji keyboard to type them
Kusimulkku@lemm.ee
on 03 Nov 2023 07:03
nextcollapse
If some auth server breaks because I put emojis in my password then that’s right and deserved
viking@infosec.pub
on 03 Nov 2023 07:28
nextcollapse
Sounds like a crappy implementation of the authentication server then, and the sysadmin deserves a paddlin’ for not stripping non-UTF characters (or making sure they work).
My problem with using emojis as part of the password would rather be that while I might be able to enter them on my personal Android phone using the exact keyboard app I have installed right now, I might find myself struggling on a desktop computer or any other phone that doesn’t have this exact keyboard installed. After all, the graphical representation of the same emoji might look different there, and there is a chance I couldn’t even recognize it.
So if anything, I’d say use a non-UTF keyboard like Thai or Chinese, but then a standard character in that specific type. Keyboards layout can be installed across devices and are fully standardized, even if the same character looks slightly different.
Username@feddit.de
on 03 Nov 2023 07:50
nextcollapse
Stripping characters from passwords, great idea! Right up there with truncating passwords that are too long.
kuneho@lemmy.world
on 03 Nov 2023 11:31
nextcollapse
also some OSKs put whitespaces after inserting an emoji, some doesn’t. there’s no unified emoji input method yet.
lolcatnip@reddthat.com
on 03 Nov 2023 16:07
collapse
There’s no such thing as a non-UTF8 character. You mean non-UTF8 bytes? If a system sees those, it should reject the entire input, not try to patch it up.
lolcatnip@reddthat.com
on 03 Nov 2023 16:06
collapse
OTOH, there is only one character set that matters, and any system using a different one is, by that fact alone, broken.
jordanlund@lemmy.world
on 03 Nov 2023 16:31
collapse
magnetosphere@kbin.social
on 03 Nov 2023 00:54
nextcollapse
Anyone who takes any kind of advice from the fucking New York Post deserves what they get.
Somewhereunknown7351@kbin.social
on 03 Nov 2023 00:54
nextcollapse
That’s the worst idea i have ever heard
Salamendacious@lemmy.world
on 03 Nov 2023 01:16
nextcollapse
Come on seriously? There are guys out there who send pictures of their genitals to women thinking that’ll impress them. I’m sure you’ve heard at least one idea worse than this. 😜
(psst don’t tell anyone but that emoji is in my lemmy.world password… maybe)
Somewhereunknown7351@kbin.social
on 03 Nov 2023 01:21
collapse
There are guys out there who send pictures of their genitals to women thinking that’ll impress them
Good point
KairuByte@lemmy.dbzer0.com
on 03 Nov 2023 02:20
collapse
It’s not even the worst idea in passwords. Assuming the back end can handle it, an emoji is just another character.
sour@kbin.social
on 03 Nov 2023 01:51
nextcollapse
am already use:
._.
TimeSquirrel@kbin.social
on 03 Nov 2023 02:36
nextcollapse
Okay now’s my time to shine. The words “emoji” and “emoticon” are false cognates, as in they aren’t actually related. Emoticon is a few-decade old word to describe emotion+icon, like :)
Emoji is Japanese (kanji - 絵文字) for picture-word, basically. It super outdates computers.
They just happen to sound similar; isn’t that fun?
PetDinosaurs@lemmy.world
on 03 Nov 2023 01:56
nextcollapse
💯🐴🔋(umm, staple)
TimeSquirrel@kbin.social
on 03 Nov 2023 02:34
nextcollapse
Jeez, you're right. We got pens, pencils, stock charts, even those folders with the colored label tabs, but no stapler, the most basic of office equipment.
davidgro@lemmy.world
on 03 Nov 2023 05:38
collapse
When it’s added, I expect most implementations will make it red.
Kusimulkku@lemm.ee
on 03 Nov 2023 07:03
nextcollapse
I want it to be pregnant
TheGreenGolem@lemm.ee
on 03 Nov 2023 09:24
collapse
I love it, Bitwarden has supported generating passphrase style passwords for a while and it’s basically that. It’s my go-to these days.
Ookami38@sh.itjust.works
on 03 Nov 2023 02:51
nextcollapse
I prefer picking a sentence or so that has meaning to me, using the first letters, and then adjusting for numbers/symbols. So if I wanted to make that a pw, it’d be 1ppa505thm2m,utfl,atafn/5. -looks completely unintelligible, but as long as you can remember the sentence and have some ideas of how you would have encoded it, easy enough to remember/recreate.
noodlejetski@lemm.ee
on 03 Nov 2023 06:53
collapse
good luck remembering all of those for every account you create, though.
lemmyvore@feddit.nl
on 03 Nov 2023 08:08
nextcollapse
If you’re using a password manager you don’t need phrases you can remember, you can generate even more secure passwords. Or start using passkeys.
noodlejetski@lemm.ee
on 03 Nov 2023 10:19
nextcollapse
I am, and I’m not jumping through hoops of making up a password sentence for every new website. I let Bitwarden take care of that for me.
Ookami38@sh.itjust.works
on 03 Nov 2023 12:59
collapse
Just use these methods for the pws you either need to know (like your password manager) or don’t want stored for whatever reason, like your bank. Otherwise, yeah, just let your password manager generate a password for whatever site.
Guest machines too. And I sorta prefer whichever browser/OS I’m using’s implementation because they’re usually styled similarly.
Ookami38@sh.itjust.works
on 03 Nov 2023 11:20
collapse
It’s as easy to remember a bunch of those as it is remembering 4 random words with no association, I think. And besides, just use that for the big, important, pws like your pw manager.
JigglySackles@lemmy.world
on 03 Nov 2023 03:34
nextcollapse
Just be sure to throw in symbols and numbers to beef it up. Dictionary words are easier to brute force.
djdadi@lemmy.world
on 03 Nov 2023 04:31
nextcollapse
Not 4 of them in a row. Keep in mind the attacker doesn’t know " look for exactly 4 words"
Killing_Spark@feddit.de
on 03 Nov 2023 06:42
collapse
That’s just security by obscurity. It’s one other strategy of choosing passwords that a bruteforce attack is going to try if it gets popular
lolcatnip@reddthat.com
on 03 Nov 2023 16:15
collapse
That’s not what security by obscurity means. And going by your definition, all passwords are security by obscurity.
Killing_Spark@feddit.de
on 04 Nov 2023 11:33
collapse
If your strategy is to just use dictionary words your password will have little entropy and even less so if you use grammatically correct sentences. If the attacker knows this is your strategy of choosing passwords cracking one is way easier than cracking a password that has the same length but consists of randomly chosen characters.
Your password is only safe because the attacker doesn’t know your strategy of choosing the password which forces him to use inefficient methods of cracking it, while there would be a more efficient way if he knew the strategy you used. Which is security by obscurity.
notapantsday@feddit.de
on 03 Nov 2023 05:47
collapse
The whole idea is to make it easier for humans to remember and more difficult to brute force. Long passwords are much harder to brute force than complex passwords with lots of special characters. And they’re a lot easier for humans to remember.
There are enough words in any language that it’s virtually impossible to guess the correct four words, even if they’re in the dictionary.
Even so, most password requirements will force you to add them anyway. Quick way to do it is to just pick a number on a keyboard and add it and the symbol to the end. e.g HorseBattery2# and so on.
gonta@mander.xyz
on 03 Nov 2023 07:06
nextcollapse
You can even make a complete sentence that makes sense with symbols and numbers.
And requirements like that are why my password strengths are completely out of whack:
Random websites get 24 randomly generated printable characters stored in my password manager. This is essentially unbreakable with conventional methods and can easily be adapted to fit whichever counterproductive rules the website enforces.
My password manager and my home computers get memorable but long phrases. A particular favorite is to start in the middle of a line from a song and continue from there. Nobody’s going to guess “make you swear and curse when you′re chewing on” but it’s easy to memorize of you already know the song. Even a dictionary attack is going to have trouble with that many words.
My work accounts get the bare minimum that complies with whichever rules the admins came up with. Numbers, special characters and mixed capitalization? No thirty letter phrase for you, then; you’ll get the minimum eight characters so I have a chance of memorizing the thing. Regular password changes? Great, now the last two chargers are going to be incrementing digits, just like for everyone else.
There’s a reason why experts these days argue against anything but minimum length restrictions.
vamputer@infosec.pub
on 03 Nov 2023 03:50
nextcollapse
I like doing entire phrases with some rhymes thrown in. Makes it easier to remember them.
“BonyTonyMoansHe’sOnlyGrownLonely” has a shitload of characters, and a full sentence (even a nonsensical one like that) is more memorable to me than a random handful of disparate words.
The more ridiculous, the better. (And, naturally, don’t forget your numbers and symbols)
EDIT: Actually, no idea why I made it all one group of words. So long as spaces are in the password’s character space (and they very well should be if friggin’ emojis are), there’s nothing stopping you from doing an entire, punctuated sentence- other than that we’ve been conditioned not to think of a password that way.
“Skinny Kenny’s friend, Mini Ben, has 20 chins.” That should be a fully-acceptable password with 46 characters (48 if you add the quotes), capital letters, numbers, and special characters.
scinde@discuss.tchncs.de
on 03 Nov 2023 10:05
collapse
You can’t compare a 46 random character password to a password composed out of words, the entropy of each is very different. Your kind of password is vulnerable to dictionary attacks which are way more common and easy than brute forcing every possibility. A 50+ characters unique random password for each service that is stored in a password manager which is encrypted with a 20+ characters random password is the most secure and future proof (for now).
Aatube@kbin.social
on 03 Nov 2023 11:00
nextcollapse
If the attacker doesn’t know that you’re using a dictionary password, then dictionary attacks probably won’t be their first choice. I want to remember these passwords across devices and on guests.
scinde@discuss.tchncs.de
on 03 Nov 2023 12:31
collapse
Like someone else said on this thread; that’s just security by obscurity, which is bad. Dictionary attacks will be one of the first (brute force related) attacks attackers will use because word passwords are incredibly popular (though admittedly of fewer words: VeryBigDog34 etc…), and relatively easy to do.
I agree that having the password across different devices is somewhat of a challenge with a password manager, but not impossible. My very long and complex password is all down to muscle memory by this point, I couldn’t tell you what it is from memory.
Also you shouldn’t use the same password on multiple things and if you don’t use a password manager you will need to memorize a lot of different passwords.
aBundleOfFerrets@sh.itjust.works
on 04 Nov 2023 21:44
collapse
Dictionary attacks aren’t some magic bullet. There are a lot of english words and just four of them IS comparable in cracking difficult to a standard 8-char password that is as random as you can make it. There are a lot more words than there are symbols. Four words is obviously not as good as 46 totally random chars
scinde@discuss.tchncs.de
on 05 Nov 2023 11:05
collapse
Dictionary attacks are definitely not a magic bullet, they require a lot of processing power, just like any other brute-force attack, but not more because of their longer length, as has been implied.
True, there are a lot of english words, but the amount of common words is relatively small. Most people aren’t going to choose a password like “MachicolationRemonstranceCircumambulationSchadenfreude”, even if it were generated for them (which is unlikely).
Sure, it is comparable to a standard 8 characters passward, but even that kind of password is verging on the insecure (it is the absolute minimum, which should be avoided when possible).
There are also a lot of symbols when you count emojies and the entire Unicode standard.
Kusimulkku@lemm.ee
on 03 Nov 2023 07:06
nextcollapse
Password database
ammonium@lemmy.world
on 03 Nov 2023 07:21
collapse
Four words is too low these days to protect against gpu bruteforcing
elbarto777@lemmy.world
on 03 Nov 2023 08:12
nextcollapse
Got a source on that?
Edit: plus brute forcing is just one scenario. I think the xkcd comic refers to using passwords in online services, and those usually have some sort of rate limiting.
ammonium@lemmy.world
on 03 Nov 2023 09:05
collapse
8 character a-zA-Z is 45 bits of entropy (log2(56^8), about the same as the XKCD password if you take from a 2048 word list. That’s crackable in a minute on AWS.
Password hashes get frequently stolen, don’t rely on rate limiting if it’s something you really care about.
elbarto777@lemmy.world
on 03 Nov 2023 10:47
collapse
Sure, but the average English speaker knows way more than 2048 words. Let’s not forget about case sensitivity, made-up or “inside joke” words, names, and specific industry vocabulary.
ammonium@lemmy.world
on 03 Nov 2023 11:04
collapse
Even if you take four words of a 30000 word list (quick Google says that’s the number of words an average person knows), that’s still less bits of entropy than a 5 word diceware password (7776 word list). People are also really bad at randomness, so your own string of random words is likely going to be much worse.
elbarto777@lemmy.world
on 03 Nov 2023 11:22
collapse
Thanks for the explanation. What’s diceware?
poopkins@lemmy.world
on 03 Nov 2023 11:51
nextcollapse
It’s the concept of literally using a die to choose with randomness (humans are terrible at trying to be random); a link with details is in a previous comment.
elbarto777@lemmy.world
on 03 Nov 2023 11:57
collapse
Thanks.
ammonium@lemmy.world
on 03 Nov 2023 11:51
collapse
elbarto777@lemmy.world
on 03 Nov 2023 11:57
collapse
Thanks.
lolcatnip@reddthat.com
on 03 Nov 2023 16:12
collapse
That only works if someone already has access to a system’s password database.
SirEDCaLot@lemmy.fmhy.net
on 03 Nov 2023 02:49
nextcollapse
Last week or two I’ve been learning more about passkeys, and it makes threads like this seem ridiculously out of date.
Given the choice between emojis and passwords and hard crypto, I’ll take the crypto.
soloner@lemmy.world
on 03 Nov 2023 03:20
nextcollapse
What’s crypto?
JigglySackles@lemmy.world
on 03 Nov 2023 03:33
nextcollapse
Well you see there’s this thing called the Blockchain, it’s like a ledger…
ivanafterall@kbin.social
on 03 Nov 2023 03:59
collapse
Man, I sure wish I could get on the ground floor of this exciting new technology as an investor.
thanevim@kbin.social
on 03 Nov 2023 05:01
collapse
Might be too late for that, but BOY do I have a bridge to sell you!
ivanafterall@kbin.social
on 03 Nov 2023 15:54
collapse
You're kidding. A real-life bridge!? You can own those!? Name your price.
With passkeys, your browser and the website exchange a public-private key pair then make up long random one-time “passwords” every time you login but only use them to check they each still have the right key.
I guess I’m gonna need the answer spoonfed to me. I think I understand how the tech works but I don’t understand the advantage over a complex non-reused password. Maybe keyloggers, if it’s one-time thing?
coffinwood@feddit.de
on 03 Nov 2023 08:51
nextcollapse
The advantage - from my very incomplete understanding - is that your passkeys cannot be phished or stolen from you. So only you from your device can log-in to the site.
Which leaves me with the question, how cross-device passkeys work.
Kusimulkku@lemm.ee
on 03 Nov 2023 09:25
nextcollapse
That would be a really nice advantage but yeah, I wonder how cross-device passkeys or recovery passkeys would work
ricecake@sh.itjust.works
on 03 Nov 2023 15:18
collapse
There are different ways.
One way is to use an encryption module on the device that, rather than storing the keys just encrypts the keys and holds an encryption key that you can’t extract, and can do various crypto operations.
Now you ask the module to do a secure key exchange algorithm with the new device, meditated by a party the module trusts, like apple or something.
Now both devices share a secret key, and they trust that the other is owned by the same user because the owner verified with apple who then signed the exchange messages.
Old device decrypts with the old key, and encrypts with the new key, never letting the data leave the secure module. Send the data to the new device which can do the reverse, and both devices forget the shared password.
Overall, minor weaknesses like storing keys in the cloud encrypted by a key derived from a password that the cloud never sees, while objective weaknesses, are still significant net improvements to security over passwords.
coffinwood@feddit.de
on 03 Nov 2023 22:35
collapse
Thank you for explaining. That’s a thing most sites leave out: tell people how the keys cannot be stolen while still working on a different device.
ricecake@sh.itjust.works
on 03 Nov 2023 23:34
collapse
Big reason for that is the spec for how this all works being around for a while, giving people a lot of time to write about the core of how it works, but the viable popular implementations are far newer, so articles still haven’t been updated, and doing the key transfers is still one of the newest parts that the big vendors don’t want to talk about yet, because they still have to get their patents fully approved and everything.
What I described above is one way to move data between two devices in a secure way with a trusted intermediary to verify identity, but I have no idea if it’s how any major vendor actually does it, because they haven’t made that data public. It’s just what’s obvious to a sufficiently informed subject matter expert.
lemmyvore@feddit.nl
on 03 Nov 2023 09:24
nextcollapse
There are lots of advantages:
No need to worry about password encoding, like this emoji debacle for example. Actually there’s no need to worry about passwords in general anymore, no more worries about lenghts, encoding, character space, remembering them etc.
It eliminates that scam where attackers set up a site on a domain that looks like the correct one, because the domain is part of the protocol.
It eliminates phishing for 2FA because login only works on your device anyway and there’s nothing you can be tricked into giving away to an attacker.
If attackers break into a site and steal the public keys they can’t use them for anything.
Since the whole process is automated between servers and browsers and also standardized, it can be upgraded seamlessly and continously, you can upgrade the protocol, the key lengths, the encryption cyphers etc. with zero impact for the user. New upgraded versions can be distributed to both servers and browsers and they’ll just use the highest version they both have.
2FA is a core part of the protocol, but again in a way that eliminates phishing: it’s basically a way to unlock access temporarily to one specific key in your key vault. You can use a master password, or an USB key, or TOTP codes, or biometrics (fingerprint or face) etc., but NOT cellular texts (SMS) anymore because the vault stays on your devices, no need for another party to send you anything.
Syncing your vault online and over multiple devices, as well as backup, are also a core part of the approach and will eliminate the worry that you drop your phone and you’re screwed forever.
The downside is that there’s been a whole bunch of tools and apps and services built around passwords for decades and converting all that mass to passkey tools will take a bit.
There are some other tradeoffs like, right now for example I can reasonably print all my passwords and TOTP codes on a few sheets of paper and achieve an “offline” backup in case of untimely death and so on, it’s going to be a bit more cumbersome with passkeys. But I expect there will be ways to optimize that as the technology evolves.
ricecake@sh.itjust.works
on 03 Nov 2023 15:00
collapse
Passkeys, under the hood, use a way of proving your identity that doesn’t require you to actually send your password, and also doesn’t require you to send your username either.
Because of how it’s implemented, the system managing the passkeys also gets to authenticate that the website is who it says it is.
So no private data actually gets sent anywhere, but you can prove your identity while also checking the identity of the site you’re talking to, like the SSL lock icon but automated.
It’s often implemented such that the device that holds they keys can’t actually have them stolen from it, and it’s integrated with a biometric sensor.
This means it’s possible to have a high degree of confidence that the person logging in is physically the same person who created the credential, and not just someone who had their password stolen.
The final perk, is that if you’re using something like a phone with a fingerprint scanner, passkeys work as two factors of authentication, despite only feeling like one.
Because the phone verifies your identity via fingerprint (something you are), it can then unlock the key that is uniquely available to the phone (something you have).
Combine that with being generally easier to use, and it’s pretty clear why most security experts are pushing them. Security that users will use is better than security they won’t, and finally we have easier to use security that’s also better than the more difficult options.
marx2k@lemmy.world
on 03 Nov 2023 03:22
nextcollapse
…no
AceFuzzLord@lemm.ee
on 03 Nov 2023 03:48
nextcollapse
I’d rather staple my forehead to a telephone pole before I ever think about using an emoji in a password. Those things are abominations!
Sterile_Technique@lemmy.world
on 03 Nov 2023 04:01
nextcollapse
Edit: Oh. Did a “Wooosh” happen to me right now? Are you being ironic and referring to the XKCD thing about how to make a secure password using words in phrases?
elbarto777@lemmy.world
on 03 Nov 2023 08:11
nextcollapse
I think OP is conflating the use of emojis in passwords with the use of emojis by the general public.
Yes, it’s annoying to read stuff like “Hi 😃😃😃😃 I am Bob ♥️♥️♥️😎😎😎😎,” but that doesn’t mean that using them in passwords is a bad idea.
Valmond@lemmy.mindoki.com
on 03 Nov 2023 08:44
nextcollapse
Well they have to be the same on different devices, like you log in to Lemmy on your PC and then on your phone. Also sometimes it seems the icons change, or there are new ones and maybe old ones are removed …
elbarto777@lemmy.world
on 03 Nov 2023 10:43
collapse
Emojis are standardized. They may look different in different devices, but the code of a “raised hands” emoji will always be the same, just like the code for A is always the same.
Removing old ones could be a problem, though.
Droechai@lemm.ee
on 03 Nov 2023 10:47
nextcollapse
Just like a gun is standardized to a water gun for some and a real gun for others?
Edit: I get your point, ita just if you memorize your password with emoji icons different icons would screw up your tries to log in
elbarto777@lemmy.world
on 03 Nov 2023 11:59
collapse
If you search for “gun” in your device when selecting an emoji, just pick whatever comes up. Done.
Corkyskog@sh.itjust.works
on 03 Nov 2023 11:56
collapse
What if I am using a device that doesn’t support emojis? wouldn’t I need to learn the code for each emoji I have used in a password?
elbarto777@lemmy.world
on 03 Nov 2023 12:01
nextcollapse
That’s a good question, and yeah, I guess you’d either avoid using emojis or accept the fact that they’re not universally supported.
Having said that, some people use non-ascii characters in their passwords, such as Œ which is a valid letter in some alphabets, and they’d run onto the same issue.
In my experience the only one that works with any degree of reliability is YouTube. Even the Netflix one can be fairly intermittent.
Also a lot in the time you’ll go away and the hotel you’re in will have a smart TV and the software was last updated in 2011 so you have to sign in on the device.
elbarto777@lemmy.world
on 03 Nov 2023 08:09
nextcollapse
Scan the QR code and log in on your phone. Oooh scary
lolcatnip@reddthat.com
on 03 Nov 2023 16:03
collapse
I’ve had to manually type in passwords on a TV several times in the last few months because sometimes the login for even the biggest brand-name services is just broken.
jbk@discuss.tchncs.de
on 03 Nov 2023 08:29
nextcollapse
What’s up with all the hate for emojis lmao
xthexder@l.sw0.com
on 03 Nov 2023 08:39
nextcollapse
Back in my day we only had 95 printable characters, and that’s the way we liked it! /s
If I’m going to be relaying through to people strictly over text as much as I do these days, I better have a way to articulate it with the right emotional range to match my sparkling personality ✨
I’m convinced emojis are what has been missing from language for a long time. They are great way to portray emotions through texts, which otherwise could not be achieved.
pewgar_seemsimandroid@lemmy.blahaj.zone
on 03 Nov 2023 12:27
nextcollapse
💀💀💀💀💀💀💀🗿🗿🗿🗿🗿🗿🗿🚣👍👍👍👍👍👍🔥🔥🔥🔥🔥🔥🔥 sigma
the emojis and text above are a part of the reason
reagansrottencorpse@lemmy.world
on 03 Nov 2023 12:38
nextcollapse
Whats the boat rowing used for typically ?
bingbong@lemmy.dbzer0.com
on 03 Nov 2023 15:56
nextcollapse
Traversing water using manual propulsion
CmdrShepard@lemmy.one
on 03 Nov 2023 16:10
collapse
Don’t act like you don’t already know, pervert.
echodot@feddit.uk
on 03 Nov 2023 16:15
nextcollapse
😠 I hate it when people do that because the emoji don’t mean anything. Like I can use a single emoji to actually relay some information but just putting a bunch of them doesn’t do anything.
jbk@discuss.tchncs.de
on 03 Nov 2023 18:53
collapse
well that just sounds like you don’t like immature content/people
Snowpix@lemmy.ca
on 03 Nov 2023 15:05
nextcollapse
People who use them tend to spam the hell out of them. Like, 8 of the same emoji. And they use them every other sentence. It’s obnoxious, you only need one or two to get the point across.
schnurrito@discuss.tchncs.de
on 03 Nov 2023 20:51
collapse
They didn’t exist yet when I was an early teenager, all we had were emoticons that might be replaced by images by the forum software, so of course I think they’re stupid /s
Without sarcasm, it is a good thing we have standardized symbols now and don’t have to implement emoticon replacement into forum or chat or social media software. If only because half of such implementations replaced any occurrence of the number 8 followed by a closing parenthesis with 😎 even when that wasn’t the intended meaning (one can think of many other times one would end a parenthetical statement with the number 8).
I’ll let you be in charge of teaching them that. I literally had to talk someone through how to type an exclamation mark today, I don’t think they’re going to handle the extended Unicode character set.
sarmale@lemmy.zip
on 03 Nov 2023 12:20
nextcollapse
Can you write any unicode cahracter?
Gotta make passwords in cuneiform
Salamendacious@lemmy.world
on 03 Nov 2023 12:34
nextcollapse
Salamendacious@lemmy.world
on 03 Nov 2023 16:27
collapse
That was a joke. There now we both said something that was plainly obvious.
bingbong@lemmy.dbzer0.com
on 03 Nov 2023 15:55
collapse
(👁 ͜ʖ👁) 𓂺
-The most secure password
BrianTheeBiscuiteer@lemmy.world
on 03 Nov 2023 13:04
nextcollapse
Sounds great where it works but I’m sure most systems would reject an emoji or make you type out some overly complex password in addition to your emoji.
Toribor@corndog.social
on 03 Nov 2023 13:29
nextcollapse
Honestly you’d be surprised how many places it just works magically. I was surprised to find that Office365 users could use emojis in names for Microsoft Teams which had no problem syncing those accounts back to an on-prem Active Directory. You can use emojis to name a whole SQL database, let alone users/passwords on it.
I keep wondering if I need to figure out how to turn that off but it hasn’t caused any problems. It’s definitely sketchy looking though when you see a bunch of normal usernames and then suddenly one is just ten snowman emojis in a row.
Emojis are just a string of special characters that get recognised and replaced by an image anyway. It is the same as using those special characters separately.
echodot@feddit.uk
on 03 Nov 2023 16:10
nextcollapse
It’s all just Unicode so in theory a password system shouldn’t think that emoji or any more interesting than any other character. To a computer the letter B and the emoji ✈️ equivalent in that they’re both just normal characters that one can type.
Sort of, emoji are usually treated as two or more normal characters so ✈️ might be equivalent to BB. But the basic point is the same.
Dark_Arc@social.packetloss.gg
on 04 Nov 2023 01:48
collapse
It should work reasonably well in password systems that hash the password from a UTF-8 encoding… Which should be most things really. If the system is trying to process everything with ASCII, maybe not. It might even appear to work but get converted to some other character (which is kind of the worst case)… That should be rare in web applications though
xantoxis@lemmy.world
on 03 Nov 2023 16:20
nextcollapse
Oh for fuck’s sake, just turn on 2FA
spark947@lemm.ee
on 03 Nov 2023 16:35
nextcollapse
Until you get to a prompt that doesn’t support unicode.
marius851000@lemmy.mariusdavid.fr
on 03 Nov 2023 18:29
nextcollapse
Meanwhile, Android not even wanting to accept accent is painfull.
SnipingNinja@slrpnk.net
on 03 Nov 2023 20:27
collapse
That doesn’t sound right. Maybe non Google Android does that, but no such issue on Pixel.
kapx132@lemmy.world
on 03 Nov 2023 19:26
nextcollapse
or just use special characters of languages like: ą, ę, ø, č
Salamendacious@lemmy.world
on 03 Nov 2023 20:02
nextcollapse
Do you have trouble on physical keyboards?
Grass@sh.itjust.works
on 04 Nov 2023 01:34
collapse
Programmable or modded keyboard with qmk and you can physical key some pretty wacky stuff if you really wanted to.
bradbeattie@lemmy.ca
on 04 Nov 2023 16:09
collapse
atkion@sh.itjust.works
on 03 Nov 2023 20:10
nextcollapse
The colors on that are kinda confusing. 6tn years is yellow, but 2k years is green?
SnipingNinja@slrpnk.net
on 03 Nov 2023 20:26
collapse
It seems like the designer didn’t notice the error
bnfdhfdhfd@lemmy.world
on 03 Nov 2023 20:51
nextcollapse
So those annoying as hell “6 character, lowercase and uppercase letters, special character” passwords give a full 6 minutes of protection. Good to know.
ngcbassman@sh.itjust.works
on 04 Nov 2023 02:35
collapse
For 6 characters is 5 seconds. I like the idea of using passphrases that mix casing with symbols but still they look like like real words, it make easier to write them down when you need them and they can be very long, so they are quite secure, of course using a password manager to be able to manage them.
bnfdhfdhfd@lemmy.world
on 04 Nov 2023 16:07
collapse
Damn, even worse than I thought. I wish someone would show this to the people who set those ridiculous password requirements.
I was glad when my work did away with monthly password changes and went with 15 characters minimum as the only requirement.
echodot@feddit.uk
on 04 Nov 2023 01:04
nextcollapse
Why is 1,000 years yellow in that graph?
If a password can’t be broke in 1,000 years it is utterly unbreakable in any effective sense of the term. No one’s going to run the program for a thousand years because even if they did it wouldn’t be relevant at the end of the process.
Hell even 51 years is pushing it.
The_Vampire@lemmy.world
on 04 Nov 2023 01:29
collapse
Well, the rate passwords can be tested at now may not always be the rate passwords can be tested at later. Computers were, at one point, growing exponentially faster in terms of processing power. There are still several emerging technologies out there that could cause significant speed-ups.
It’s certainly better to future-proof your passwords.
dbilitated@aussie.zone
on 04 Nov 2023 22:24
collapse
I wonder if this assumes the cracker knows how long etc the password is when they start cracking.
I always make my passwords “a” because I figure they’ll start cracking attempts at 5 characters 😁
fosstulate@iusearchlinux.fyi
on 05 Nov 2023 00:56
collapse
In EVE Online that’s called ‘getting underneath the guns’. 🎓
PlexSheep@feddit.de
on 03 Nov 2023 20:40
nextcollapse
Rookie numbers. Max out the character limit.
Seriously tho: go for at least 80 bit randomized characters. If it’s something you have to type, use a couple of random words. Longer passwords are exponentially more secure.
Salamendacious@lemmy.world
on 04 Nov 2023 00:17
collapse
All I can picture in my head is Matthew mcconaughey telling Leonardo DiCaprio he needs to masturbate more
314xel@lemmy.world
on 03 Nov 2023 21:32
nextcollapse
It depends on how the password is stored / KDF used (what type of hash, salting, bcrypt, etc).
Judge for yourself if it’s an old website or old piece of software that might use (god forbid) MD5. Since one would not normally know that, I’d go with 20 (good, cryptographically) randomly generated upper/lower/digits if using a password manager, or 40ish characters passphrase if you need to remember and/or easily type it. Add some punctuation / special chars (spaces, commas, dots, paranthesis, etc) if it’s an important masterkey (ie password manager key, encrypted container, etc) and you have decent typing skills.
Some shitty sites / routers don’t accept certain special characters hence go with upper/lower/digits as standard but use longer lengths (if the shitty site allows you and doesn’t limit that too). Limits to what a password should contain and/or length limits would be a sign of lazy programming and poor password management, so treat them as unsecure from the get-go (yes, even big names like Oracle have piss-poor security or lazy implementation). Good programming nowdays shouldn’t have those limits, as user input sanitization / injection protection exists, and hash functions have a fixed length no matter what the input length is.
Also very important, don’t reuse passwords for online accounts. Hence a password manager remembering them for you. There are still websites storing passwords in plain text. You wouldn’t want your local pizza hut know or leak your email password by being hacked.
Aceticon@lemmy.world
on 03 Nov 2023 22:29
nextcollapse
Grab a sentence you know well.
Pick just the first letter of each word.
It will look like it’s random - for example “I like my lemmy only with beans and bacon” becomes “ilmlowbab” - and it comes from a far vaster possibility space (ever possible sentence and it need not even make sense) than that of “words in the English language and derived words” so it’s a lot harder to try to crack with a dictionary attack.
Also it works in everything that takes ASCII charactes (i.e. everything but numeric only pin codes).
Salamendacious@lemmy.world
on 04 Nov 2023 00:05
collapse
A nice system
lazycouchpotato@lemmy.world
on 04 Nov 2023 01:47
nextcollapse
I disagree with them.
Emojis do not look the same on all platforms. Let’s take white large square ⬜ for example. Emojipedia shows what that emoji looks like on 26 different vendors. Some are pure white, some are shades are grey, and then there’s Microsoft who in its usual infinite wisdom decided it should be purple. large yellow square 🟨 is a tossup between actually yellow and orange. This issue is also exacerbated with different displays displaying colours differently. Factors such as color accuracy, viewing angle, brightness affect how you perceive colour.
<img alt="" src="https://lemmy.world/pictrs/image/4300511f-3280-480f-9b33-07a24f8974cf.png">
This also extends to face emojis. grinning face with big eyes (Emojipedia link) isn’t that easy to tell apart from grinning eyes (Emojipedia link)
Emoji support depends on your device. I’m on Windows 11 22H2 which recently added support for shaking face 🫨. Problem is, Windows’ emoji picker Win + . (period) doesn’t have it. Trying to login on a friends phone that’s still on iOS 15 or Android 12, before shaking face came out? Enjoy manually copy/pasting the emoji from Emojipedia.
kromem@lemmy.world
on 04 Nov 2023 01:53
nextcollapse
No. There’s only one piece of advice that should be given to users in 2023 about how to make their passwords stronger:
Use a password manager
Just use 32 character random alphanumeric passwords that are unique for each site (you can do more like 12-16 characters if you’ll ever need to enter manually).
This is it. Stop trying to create clever passwords that you can remember. You aren’t as uniquely creative as you think and there’s been bodies of research into how the various things people do to create passwords that look secure can reduce the generation space so much that they become considerably easier to crack with an intelligent algorithm.
shucks@lemmy.blahaj.zone
on 04 Nov 2023 16:59
nextcollapse
I got it to a stable 54% by using an
algorithm
typing f or d for consonants and vowels respectively in sentences I thought up, switching languages regularly,
and a stable 56% by just typing randomly and adjusting my patterns based on the colored output, which might have skewed my results.
Certainly a very cool tool, I also liked the explanation linked on the page!
Few, but those that don’t you can just shorten the length generated.
Arfman@aussie.zone
on 04 Nov 2023 02:14
nextcollapse
Long time ago a friend of mine used a set of key press to generate a smiley face to put in his bios which ended up in a situation where he was not able to type in the same smiley face into the password prompt. I had to teach him to reset his bios battery to get back into the bios.
Salamendacious@lemmy.world
on 04 Nov 2023 07:28
collapse
You’re a good friend
Agent641@lemmy.world
on 04 Nov 2023 16:12
nextcollapse
For petty services where you don’t want to have to break out the password manager, try making your own mental salted hash.
Pick four long words at random. Assign each of these to the four quadrants of the alphabet.
A-F - Equipment
G-M - Triumphant
N-S - Sampling
U-Z - Fatigued
Pick one number:
4
Now, take the first letter of the service that the password is for, and that selects your quadrant word. Take the number of letters in the service and multiply it against your number. Take the last letter of the service, and on your querty keyboard, move all the way to the right of thst line to select the first symbol there. Thats your unique password thats salted with yo ur personal words and number.
Facebook = Equipment32:
Lemmy = Triumphant20{
Pizza Hut = Sampling36{
If you want more security for these petty services, use longer words, bigger number, or use some other metric, Tweak the algorithm to make it unique to you. Maybe capitalize a middle letter in your salt word based on the length of the service name. Maybe add the first letter of the colour of the service logo to the password, EG
Facebook = Equipment32:B
Lemmy = Triumphant20{T
Pizza Hut = Sampling36{R
Petty services I would consider to be anything that’s not super critical, and is at a higher likelyhood of breaching my shit.
For banks, primary emails, or government services, use a more complex algorithm or a random string of chars from your password manager.
adrian783@lemmy.world
on 04 Nov 2023 16:35
nextcollapse
too short, for all that effort just use a sentence with a symbol and a number.
FacebookCanGoToHell!123 is more secure and easy to remember
Agent641@lemmy.world
on 04 Nov 2023 16:57
nextcollapse
Youre going to memorize a unique sentence for each service?
A method like this allows you to memorize only 4 words of arbitrary length, a number, and a simple algorthm to yield unique passwords for each service.
Rubanski@lemm.ee
on 04 Nov 2023 17:17
nextcollapse
Also you can’t really “forget” a password, because it’s connected to the name of the site. Very clever
Evotech@lemmy.world
on 04 Nov 2023 17:48
nextcollapse
You can also add a standard phrase to all of them that is shared between them all just to make them more complex
Equipment32:thisismypassword
adrian783@lemmy.world
on 05 Nov 2023 13:53
collapse
yes, it is what I do now. there was a time when people memorized 10, 15 phone numbers.
banneryear1868@lemmy.world
on 05 Nov 2023 00:27
collapse
Yeah putting the name of the service in the passphrase is actually pretty secure, unless the rest of the password is like “thisisapasswordforFACEBOOK” cause then one password gets leaked and the rest can be inferred.
Just come up with one strong password (see xkcd.com/936/) for your password manager and use randomly generated passwords for everything else. There’s no reason to manually compute a hash every time you sign up for a service.
HiddenLayer5@lemmy.ml
on 04 Nov 2023 18:13
collapse
Also, for a non-remembering solution, use a security key with your password manager, the kind that plugs into USB and you have to tap a button to authenticate. Then you can generate a true random password and store it somewhere safe as a backup, and mainly use the key for day to day.
dbilitated@aussie.zone
on 04 Nov 2023 22:19
collapse
what about when you’re on your phone?
floridaman@lemmy.blahaj.zone
on 04 Nov 2023 23:57
nextcollapse
Many security keys have NFC, or if you’re on a modern phone, you can use USB type C (Yubikey 5C)
HiddenLayer5@lemmy.ml
on 05 Nov 2023 00:36
collapse
Authentication app is another option. I believe some password managers can be set up to take the master password once per device and then accept authenticator codes to unlock for each subsequent time.
Or, since your phone is probably a lot more locked down than your computer, almost every modern phone since like the days of the iPhone 5S has a cryptographic TPM/secure enclave in the processor while the fact that not every computer has one was a major sore spot in Windows 11 compatibility, it might also be acceptable to just leave the password manager unlocked on your phone all the time, depending on your threat model. Assuming your phone is both encrypted and password protected and you trust the OS to implement both securely, the pin on your phone works more like the pin on your credit card than a traditional password login on a non-encrypted non-TPM computer, so even if a bad actor physically had your phone, it would be very hard to actually extract data out of it without the passcode (assuming it’s just your garden variety cybercriminal and not the CIA or something), which would serve as your master password in that case. Hardware security features can also resist brute force attacks where someone clones your hard drive and hooks it up to their own computer to try and guess the encryption password without the wrong entry time delays slowing them down, a secure enclave will actually enforce the time delays with no easy bypass and can also be set to wipe the phone if you get the passcode wrong too many times.
Phone apps are also almost entirely sandboxed from each other and can’t directly access other apps’ data, so the risk of a malicious program reading the password manager’s cache or database is also far lower than most desktop operating systems.
splines@reddthat.com
on 04 Nov 2023 21:52
collapse
The problem with using hash schemes like this is that when your password is leaked you can’t easily rotate the password.
bdkmshr@monyet.cc
on 05 Nov 2023 01:17
nextcollapse
Not to mention if you suddenly developed amnesia or dementia
This is what got me using a password manager. I didn’t want to trust a password manager because it felt like they would be highly targeted and one vulnerability would reveal everything. And let’s be honest they still are the same.
So I had my own scheme for generating passwords. I made myself a script that I could use on my phone and PC. It worked beautifully and effortlessly until occasionally a service would force me to choose a new password. When this started happening I made a new scheme for generating passwords and made a new script. When it first happened it was still reasonably easy because there was only one service I had to use the alternative. It started to become more difficult the more services asked for a new password.
I used my own system for several years until I had enough with trying to remember which services used the alternative scheme and wondered when I’d have to make a third scheme. And if I did then the mental complexity would significantly increase.
Interestingly only a couple of services publicly announced they had been hacked and none of my passwords have ever appeared on haveibeenpwned. So I wonder why these services asked for a new password and if they had been attacked why they chose not to announce it.
Treczoks@lemm.ee
on 04 Nov 2023 16:44
nextcollapse
Completely useless from many sources where I have to rely on a keyboard for entering passwords.
drugo@sh.itjust.works
on 04 Nov 2023 20:44
collapse
Most modern OSes feature emoji pickers though
RagingRobot@lemmy.world
on 04 Nov 2023 22:05
nextcollapse
Mac os and windows? I haven’t seen it on my Mac but maybe on windows? Those are pretty modern. I haven’t seen it in Linux either now that I think of it.
ayyansea@lemmy.world
on 04 Nov 2023 22:10
nextcollapse
there is a “Characters” app in Gnome that lets you pick emojis
dbilitated@aussie.zone
on 04 Nov 2023 22:17
nextcollapse
win+. will bring it up in windows
paraphrand@lemmy.world
on 05 Nov 2023 00:18
nextcollapse
As it said in the document: With a little help from your OS. So I want to log into lemm.ee from another persons computer. I do have not my own keyboard, I neither have my additional drivers or extensions or whatever. Oops. No login.
SuddenlyBlowGreen@lemmy.world
on 04 Nov 2023 21:23
nextcollapse
Just use a password manager, goddamn.
RagingRobot@lemmy.world
on 04 Nov 2023 22:03
nextcollapse
But only save emojis in it lol
fosstulate@iusearchlinux.fyi
on 05 Nov 2023 00:49
collapse
Two of my colleagues still use locally stored plaintext for individual work credentials, despite having been shown where the password manager is. Both have accessed their files in front of me. If it’s not in those files it’s saved in the browser (because convenience is a hell of a drug). Now you start to see why discrete managers have a hard time, even amongst technology workers.
SuddenlyBlowGreen@lemmy.world
on 05 Nov 2023 16:41
collapse
Yeah, you can lead a horse to water, and whatnot.
Cosmos7349@lemmy.world
on 05 Nov 2023 00:21
collapse
As a software developer who has worked with a lot of symbols and emoji… PLEASE DON’T DO THIS.
Software doesn’t all handle these symbols the same way, and without tech knowledge (or even with) , it’s very possible to not be able to log in easily. I’m kinda drunk rn, but I’ll try to explain as simply as I can…
For example… skintone emojis are actually two characters, a face and a skin tone modifier. I think those ones are always two characters but some of these “multi-char” characters can be normalized into a single character. But not everyone handles this the same way. For example, Safari might normalize the emoji, but Firefox might treat it as two separate characters… And this would probably make your password not match. But basically… text has lots of edge cases; I’d advise to use normal passwords please (also maybe a password manager)
banneryear1868@lemmy.world
on 05 Nov 2023 00:25
nextcollapse
Was gonna say… you’re relying on the consistency of external emoji handlers that you don’t control. Ascii emojis are one thing.
Cosmos7349@lemmy.world
on 05 Nov 2023 00:28
collapse
Is my explaintion ok? The hard kombucha was… harder than I anticipated
banneryear1868@lemmy.world
on 05 Nov 2023 00:36
collapse
It was pretty normal lol. Basically everything between the visual of an emoji and what “text” is entered is not in your control. So it’s great for security but not in practice as a password. What brand was the kombucha I want some.
Cosmos7349@lemmy.world
on 05 Nov 2023 00:42
collapse
I didn’t realize NYC has a physical Juneshine location. So I got a flight… and a Juneshine cocktail…
stardreamer@lemmy.blahaj.zone
on 05 Nov 2023 01:35
collapse
Thanks for the feedback! I’ll be sure to use non-printing characters instead of emojis for my passwords! (They can’t guess it if it’s invisible right?)
In all seriousness, why are people so adverse to using password managers? People are plenty willing to use the browsers built-in “remind my password” instead of a proper password solution such as bitwarden… And they come up with such “hacks” just to avoid using a proper length password.
threaded - newest
I wonder how often curse words or obscure slang are included in dictionary attacks.
What about non English words, or slang? That would be interesting information to have.
Very smart idea, because everybody knows that dictionaries exist only in the English language /s
What do you imagine is the most used dictionary for dictionary attack? English must be up there, meanwhile Finnish for example isn’t going to be quite as popular
Klingon, obviously. Every hacker who ever wants to become famous must be fluent in Klingon first, as we all know.
Lots of languages have local dialects and those dialects themselves can have their own slang. In Italy the local dialects can differ quite a bit. Do you think there are dictionaries for all the local slang in the Sardinian dialect? Lots of Italian maps don’t bother to even include Sardinia.
this feeeels like the stupidest idea ive ever heard.. its not like theres really an emojii standard applied as universally as text, across devices or applications... the transforms that happen... this seems fraught with terribleness
am i missing something?
I thought Emojis were a set standard but how they’re rendered can change. So whatever it is that identifies the heart emoji is universal but iPhone, Samsung, Google, etc might render that heart differently.
How they’re rendered is a set standard now too. For example there was a bit of an issue where the gun emoji could be a water pistol pointing left or a revolver pointing right… and when it was combined with a person emoji… that could lead to… issues. It’s a water pistol everywhere now.
I didn’t know that, thanks
You mean Apple changed it to a water gun and everyone followed suite as to not have an issue?
Thanks, America, and your mass shootings.
Although I agree it is risky, emoji are unicode characters, just like any other unicode character. If, and that’s a big if, the programmers do their job right, it shouldn’t matter if you use an emoji or a random kanji. It’s all just another character. That said, I don’t trust programmers enough to run the risk. Your password might work fine on the website but then fail on the mobile app.
Someone else said “good luck on the desktop”, but Windows actually has an emoji picker built right in. Win+. will bring it up. Another fun fact, usernames and computer names both support the full unicode set on Windows, including emoji. Some fun can be had with that knowledge. I haven’t tried it on Linux or MacOS yet.
Emojis are standardized exactly the same way as text is, both are defined by the unicode standard. They might not be rendered uniformly, the same way that text rendering depends on the font.
Yes there is, <img alt="Unicode (Emoji’s)" src="https://unicode.org/faq/emoji_dingbats.html">. I would say most modern devices/systems utilize it too. The reason they may look different from device to device is because the presentation style can be modified by vendors, somewhat similar to using different fonts to make letters look styled.
If this isn’t satire, that’s literally what Unicode and UTF-8 are
Terrible idea, good luck logging in on desktop.
You know there’s someone somewhere who would answer you with, “what’s a desktop?”
.
"what's a computer?"
Here is an alternative Piped link(s):
“what’s a computer?”
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
Listen here, you little shit
Dammit I’d forgotten that awful commercial. Angry upvote.
I’m still in denial 😅
I began feeling old when re**itors started calling their site an ‘app’
You can say Reddit it isn’t blasphemous
Wait, you can’t type emoji on your desktop? I feel sorry for you. 🥺
I have no idea how you could either. I don’t know how to create them with s keyboard
Winkey + .
Works on Windows and some Linux distros by default
Firefox has an addon that opens up an emoji panel.
For Windows 10/11, its win+; to open the emote window.
Cmd+Ctrl+Spacebar on Mac
Huh! TIL ☺
It’s Windows logo key + . (period).
<img alt="https://support.microsoft.com/en-us/windows/windows-keyboard-tips-and-tricks-588e0b72-0fff-6d3f-aeee-6e5116097942" src="https://support.microsoft.com/en-us/windows/windows-keyboard-tips-and-tricks-588e0b72-0fff-6d3f-aeee-6e5116097942">
Both work for me and I haven't messed with the keybindings for it.
That doesn’t work on the desktop last I checked.
But it’s actually possible to set a password with emojis anyways (or at least for domain accounts). I successfully logged in on a VM using the Hyper-V window and pasting the emoji from the host. You can also name an account a single emoji and windows actually handles it decently. It’s very likely to break a lot of programs though.
Its worked on desktops for years and works right now. As someone else pointed out "win+." works as well. Or maybe its supposed to be the only way it works and mine is bugged? Idk. I found it via trying to lock my desktop and mistyping.
It worked on my desktop
😁👍╰(°▽°)╯
Works even in notepad on Windows 11, lol
Oh I meant the lock screen, sorry. As far as I know it works everywhere except the lock screen.
oh, I never tried. There goes that option. Wonder if that was intention to prevent people from trying to use emoji passwords because they didn't trust windows to handle it.
It’s probably just because the emoji panel is a program and the lock screen has very limited or any capabilities to run any programs. And trying to make it the emoji panel to function on the lock screen is pretty much a waste of time anyways.
Who needs Reddit when people like you are here on Lemmy.
Under Windows press Win+.
Havent read the article yet but If you have to manually input just stick to 6 or more randomly generated words (different languages if you would like to). A keyboard won’t always have options for emojis. Your password manager’s autofill/autotype everywhere else and 2fa where you can thats it dont overcomplicate things thats a good way to screw yourself over
Emojis are known to break systems in certain circumstances due to the way they’re interpreted in certain character sets.
I guarantee people doing this will not only lock out their own accounts, but may even freeze some authentication servers.
pcmag.com/…/want-to-brick-an-iphone-send-some-emo…
itechpost.com/…/brick-iphone-using-emojis-plus-tr…
That only applies to iphones that came out 2016 or earlier and we’re never updated right?
For that particular bug, yes, but there have been many other variations on that theme and not limited to Apple tech. I’ve seen it nuke an email send for example because the SMTP server choked on emojis placed in a subject, to, or from line.
Thanks I appreciate the clarification
Hahaha, I wish.
You would be amazed at how ancient and poorly maintained many web servers are on the modern internet. SQL injection still consistently make the top 3 web app vulnerabilities as of 2021. If that isn’t being sanitized properly I don’t expect emojis would be handled much better.
Thanks I wasn’t aware of that
auth servers breaking from emojis would be hilarious, pretty sure that's why older auth servers only allow certain symbols in passwords
“Your password ‘🤣umådbrø⁉️’ is breaking our server. Please change it.”
“Of course. What is the server’s root password?”
The website should feed your password straight into a well known hashing algorithm or key derivation function that has undergone a decade or more of careful scrutiny, without any other processing. The output will usually be a fixed length base64 or hex string.
There’s a short list of about three options that are currently considered acceptable, and a few more are probably fine but are a little too easy to crack these days (e.g. anything that shares the same math as bitcoin… what if someone throws a mining datacentre at your password?)
If the site breaks, maybe you don’t to be a customer of that service.
make one account with emoji password to test their system, if it break, good, go create hour account somewhere else
Can you still log in to wellsfargo accounts using the T9 translation of your password?
It’s not the processing on the server that’s the problem. To reach the server the password needs to go through several layers of character encoding, if any of them fails the server will receive something different from what you meant. And when you try to login from another device and the layers will be different you’ll effectively be sending a different password.
The same character encoding that would break emoji would break a significant portion of the words names, so if your system can’t handle it, then you deserve all the trouble that you run into.
Unicode isn’t that hard.
You’re not wrong, but some systems, especially smaller ones are intended for English-only situations (or originally were) so non-English language situations might not be as well tested and/or may cause things to break.
Remember there are some sites that still refuse service if you put a
"
in your password. I’m not saying it’s right, but it’s a definite possibility.It’s not the 90s anymore.
That is very much not a 90s problem. Especially if the company has a website and an app or is a small company not thinking about these things.
In theory this shouldn’t be an issue but it definitely could be an issue on certain services.
and there are many trash implementations that dont recognise something like :emoticon: as shortcut and turn it into emoji, no no you have to use emoji keyboard to type them
.
If some auth server breaks because I put emojis in my password then that’s right and deserved
Sounds like a crappy implementation of the authentication server then, and the sysadmin deserves a paddlin’ for not stripping non-UTF characters (or making sure they work).
My problem with using emojis as part of the password would rather be that while I might be able to enter them on my personal Android phone using the exact keyboard app I have installed right now, I might find myself struggling on a desktop computer or any other phone that doesn’t have this exact keyboard installed. After all, the graphical representation of the same emoji might look different there, and there is a chance I couldn’t even recognize it.
So if anything, I’d say use a non-UTF keyboard like Thai or Chinese, but then a standard character in that specific type. Keyboards layout can be installed across devices and are fully standardized, even if the same character looks slightly different.
Stripping characters from passwords, great idea! Right up there with truncating passwords that are too long.
.
That’s not how any of this works.
First of all, stripping passwords is never okay. You can reject the password and let the user choose a new one, but never just modify it on your own.
Then, if your system is at risk of code injection by certain characters in user input, please just shut it down and never turn it on again.
Doing that is actually a great way to tell attackers that you’re vulnerable to that type of attack.
Bypassing those front end restrictions is super easy, and the attackers don’t need an account or a password to attack you.
It’s like putting a sign that says “lock fragile; don’t tug” on the door to your business.
That one made me chuckle, it really do be like that 😂
Learn how to sanitise your database inputs first, damnit!
xkcd.com/327/
also some OSKs put whitespaces after inserting an emoji, some doesn’t. there’s no unified emoji input method yet.
There’s no such thing as a non-UTF8 character. You mean non-UTF8 bytes? If a system sees those, it should reject the entire input, not try to patch it up.
OTOH, there is only one character set that matters, and any system using a different one is, by that fact alone, broken.
Pick one :)
www.iana.org/assignments/…/character-sets.xhtml
I said only one that matters. So I already did pick one. It’s called Unicode.
UTF-8 and UTF-16 pretty much do everything, but if you have a UTF-16 emoji in a UTF-8 system, you’ll have a bad day. :(
Those are encodings, not character sets.
IANA calls them character sets, it’s literally in the URL twice, that’s good enough for me!
No need to tell us how you feel every day
Anyone who takes any kind of advice from the fucking New York Post deserves what they get.
That’s the worst idea i have ever heard
Come on seriously? There are guys out there who send pictures of their genitals to women thinking that’ll impress them. I’m sure you’ve heard at least one idea worse than this. 😜
(psst don’t tell anyone but that emoji is in my lemmy.world password… maybe)
Good point
It’s not even the worst idea in passwords. Assuming the back end can handle it, an emoji is just another character.
am already use:
._.
Classic old school manual emojis.
Emoticons for you kids.
Okay now’s my time to shine. The words “emoji” and “emoticon” are false cognates, as in they aren’t actually related. Emoticon is a few-decade old word to describe emotion+icon, like :)
Emoji is Japanese (kanji - 絵文字) for picture-word, basically. It super outdates computers.
They just happen to sound similar; isn’t that fun?
💯🐴🔋(umm, staple)
Jeez, you're right. We got pens, pencils, stock charts, even those folders with the colored label tabs, but no stapler, the most basic of office equipment.
When it’s added, I expect most implementations will make it red.
I want it to be pregnant
Preganant?
If a women has starch masks on her body does that mean she has been pargent before?
¿Preganté?
Hopefully it’s compatible with skin tone modifier.
Correct horse battery staple!
But was it a 💯 or was it a ✅? Damn neither. Let’s try with 👍…
100 horse batteries
xkcd still has the best approach to this; four random common words
I love it, Bitwarden has supported generating passphrase style passwords for a while and it’s basically that. It’s my go-to these days.
I prefer picking a sentence or so that has meaning to me, using the first letters, and then adjusting for numbers/symbols. So if I wanted to make that a pw, it’d be 1ppa505thm2m,utfl,atafn/5. -looks completely unintelligible, but as long as you can remember the sentence and have some ideas of how you would have encoded it, easy enough to remember/recreate.
good luck remembering all of those for every account you create, though.
Why are you not using a password manager
If you’re using a password manager you don’t need phrases you can remember, you can generate even more secure passwords. Or start using passkeys.
I am, and I’m not jumping through hoops of making up a password sentence for every new website. I let Bitwarden take care of that for me.
Just use these methods for the pws you either need to know (like your password manager) or don’t want stored for whatever reason, like your bank. Otherwise, yeah, just let your password manager generate a password for whatever site.
I want cross-device
Most are cross device. Use bitwarden
Guest machines too. And I sorta prefer whichever browser/OS I’m using’s implementation because they’re usually styled similarly.
It’s as easy to remember a bunch of those as it is remembering 4 random words with no association, I think. And besides, just use that for the big, important, pws like your pw manager.
Just be sure to throw in symbols and numbers to beef it up. Dictionary words are easier to brute force.
Not 4 of them in a row. Keep in mind the attacker doesn’t know " look for exactly 4 words"
That’s just security by obscurity. It’s one other strategy of choosing passwords that a bruteforce attack is going to try if it gets popular
That’s not what security by obscurity means. And going by your definition, all passwords are security by obscurity.
If your strategy is to just use dictionary words your password will have little entropy and even less so if you use grammatically correct sentences. If the attacker knows this is your strategy of choosing passwords cracking one is way easier than cracking a password that has the same length but consists of randomly chosen characters.
Your password is only safe because the attacker doesn’t know your strategy of choosing the password which forces him to use inefficient methods of cracking it, while there would be a more efficient way if he knew the strategy you used. Which is security by obscurity.
The whole idea is to make it easier for humans to remember and more difficult to brute force. Long passwords are much harder to brute force than complex passwords with lots of special characters. And they’re a lot easier for humans to remember.
There are enough words in any language that it’s virtually impossible to guess the correct four words, even if they’re in the dictionary.
Even so, most password requirements will force you to add them anyway. Quick way to do it is to just pick a number on a keyboard and add it and the symbol to the end. e.g HorseBattery2# and so on.
You can even make a complete sentence that makes sense with symbols and numbers.
“Ronaldo doesn’t grill 76 Canadian Tacos.”
Or whatever
And requirements like that are why my password strengths are completely out of whack:
There’s a reason why experts these days argue against anything but minimum length restrictions.
I like doing entire phrases with some rhymes thrown in. Makes it easier to remember them.
“BonyTonyMoansHe’sOnlyGrownLonely” has a shitload of characters, and a full sentence (even a nonsensical one like that) is more memorable to me than a random handful of disparate words.
The more ridiculous, the better. (And, naturally, don’t forget your numbers and symbols)
EDIT: Actually, no idea why I made it all one group of words. So long as spaces are in the password’s character space (and they very well should be if friggin’ emojis are), there’s nothing stopping you from doing an entire, punctuated sentence- other than that we’ve been conditioned not to think of a password that way.
“Skinny Kenny’s friend, Mini Ben, has 20 chins.” That should be a fully-acceptable password with 46 characters (48 if you add the quotes), capital letters, numbers, and special characters.
You can’t compare a 46 random character password to a password composed out of words, the entropy of each is very different. Your kind of password is vulnerable to dictionary attacks which are way more common and easy than brute forcing every possibility. A 50+ characters unique random password for each service that is stored in a password manager which is encrypted with a 20+ characters random password is the most secure and future proof (for now).
If the attacker doesn’t know that you’re using a dictionary password, then dictionary attacks probably won’t be their first choice. I want to remember these passwords across devices and on guests.
Like someone else said on this thread; that’s just security by obscurity, which is bad. Dictionary attacks will be one of the first (brute force related) attacks attackers will use because word passwords are incredibly popular (though admittedly of fewer words: VeryBigDog34 etc…), and relatively easy to do. I agree that having the password across different devices is somewhat of a challenge with a password manager, but not impossible. My very long and complex password is all down to muscle memory by this point, I couldn’t tell you what it is from memory.
Also you shouldn’t use the same password on multiple things and if you don’t use a password manager you will need to memorize a lot of different passwords.
Dictionary attacks aren’t some magic bullet. There are a lot of english words and just four of them IS comparable in cracking difficult to a standard 8-char password that is as random as you can make it. There are a lot more words than there are symbols. Four words is obviously not as good as 46 totally random chars
Dictionary attacks are definitely not a magic bullet, they require a lot of processing power, just like any other brute-force attack, but not more because of their longer length, as has been implied.
True, there are a lot of english words, but the amount of common words is relatively small. Most people aren’t going to choose a password like “MachicolationRemonstranceCircumambulationSchadenfreude”, even if it were generated for them (which is unlikely).
Sure, it is comparable to a standard 8 characters passward, but even that kind of password is verging on the insecure (it is the absolute minimum, which should be avoided when possible).
There are also a lot of symbols when you count emojies and the entire Unicode standard.
Password database
Four words is too low these days to protect against gpu bruteforcing
Got a source on that?
Edit: plus brute forcing is just one scenario. I think the xkcd comic refers to using passwords in online services, and those usually have some sort of rate limiting.
thesecurityfactory.be/password-cracking-speed/
8 character a-zA-Z is 45 bits of entropy (log2(56^8), about the same as the XKCD password if you take from a 2048 word list. That’s crackable in a minute on AWS.
Password hashes get frequently stolen, don’t rely on rate limiting if it’s something you really care about.
Here are the dice ware recommendations on the number of words: theworld.com/~reinhold/dicewarefaq.html#howlong
Sure, but the average English speaker knows way more than 2048 words. Let’s not forget about case sensitivity, made-up or “inside joke” words, names, and specific industry vocabulary.
Even if you take four words of a 30000 word list (quick Google says that’s the number of words an average person knows), that’s still less bits of entropy than a 5 word diceware password (7776 word list). People are also really bad at randomness, so your own string of random words is likely going to be much worse.
Thanks for the explanation. What’s diceware?
It’s the concept of literally using a die to choose with randomness (humans are terrible at trying to be random); a link with details is in a previous comment.
Thanks.
theworld.com/~reinhold/diceware.html
Thanks.
That only works if someone already has access to a system’s password database.
Last week or two I’ve been learning more about passkeys, and it makes threads like this seem ridiculously out of date. Given the choice between emojis and passwords and hard crypto, I’ll take the crypto.
What’s crypto?
Well you see there’s this thing called the Blockchain, it’s like a ledger…
Man, I sure wish I could get on the ground floor of this exciting new technology as an investor.
Might be too late for that, but BOY do I have a bridge to sell you!
You're kidding. A real-life bridge!? You can own those!? Name your price.
Yes!
You can even change it into a toll road and return your investment in no time!
Cryptography
Cryptography. As in, using encryption and encryption keys to authenticate me, rather than just a password.
I’m not sure what the passkey advantage over long unique password in a password database is.
Well, KeepAssXC just got passkey support so I guess it doesn’t matter much
With passkeys, your browser and the website exchange a public-private key pair then make up long random one-time “passwords” every time you login but only use them to check they each still have the right key.
I guess I’m gonna need the answer spoonfed to me. I think I understand how the tech works but I don’t understand the advantage over a complex non-reused password. Maybe keyloggers, if it’s one-time thing?
The advantage - from my very incomplete understanding - is that your passkeys cannot be phished or stolen from you. So only you from your device can log-in to the site. Which leaves me with the question, how cross-device passkeys work.
That would be a really nice advantage but yeah, I wonder how cross-device passkeys or recovery passkeys would work
There are different ways.
One way is to use an encryption module on the device that, rather than storing the keys just encrypts the keys and holds an encryption key that you can’t extract, and can do various crypto operations.
Now you ask the module to do a secure key exchange algorithm with the new device, meditated by a party the module trusts, like apple or something.
Now both devices share a secret key, and they trust that the other is owned by the same user because the owner verified with apple who then signed the exchange messages.
Old device decrypts with the old key, and encrypts with the new key, never letting the data leave the secure module. Send the data to the new device which can do the reverse, and both devices forget the shared password.
Overall, minor weaknesses like storing keys in the cloud encrypted by a key derived from a password that the cloud never sees, while objective weaknesses, are still significant net improvements to security over passwords.
Thank you for explaining. That’s a thing most sites leave out: tell people how the keys cannot be stolen while still working on a different device.
Big reason for that is the spec for how this all works being around for a while, giving people a lot of time to write about the core of how it works, but the viable popular implementations are far newer, so articles still haven’t been updated, and doing the key transfers is still one of the newest parts that the big vendors don’t want to talk about yet, because they still have to get their patents fully approved and everything.
What I described above is one way to move data between two devices in a secure way with a trusted intermediary to verify identity, but I have no idea if it’s how any major vendor actually does it, because they haven’t made that data public. It’s just what’s obvious to a sufficiently informed subject matter expert.
There are lots of advantages:
The downside is that there’s been a whole bunch of tools and apps and services built around passwords for decades and converting all that mass to passkey tools will take a bit.
There are some other tradeoffs like, right now for example I can reasonably print all my passwords and TOTP codes on a few sheets of paper and achieve an “offline” backup in case of untimely death and so on, it’s going to be a bit more cumbersome with passkeys. But I expect there will be ways to optimize that as the technology evolves.
Passkeys, under the hood, use a way of proving your identity that doesn’t require you to actually send your password, and also doesn’t require you to send your username either.
Because of how it’s implemented, the system managing the passkeys also gets to authenticate that the website is who it says it is.
So no private data actually gets sent anywhere, but you can prove your identity while also checking the identity of the site you’re talking to, like the SSL lock icon but automated. It’s often implemented such that the device that holds they keys can’t actually have them stolen from it, and it’s integrated with a biometric sensor.
This means it’s possible to have a high degree of confidence that the person logging in is physically the same person who created the credential, and not just someone who had their password stolen.
The final perk, is that if you’re using something like a phone with a fingerprint scanner, passkeys work as two factors of authentication, despite only feeling like one.
Because the phone verifies your identity via fingerprint (something you are), it can then unlock the key that is uniquely available to the phone (something you have).
Combine that with being generally easier to use, and it’s pretty clear why most security experts are pushing them. Security that users will use is better than security they won’t, and finally we have easier to use security that’s also better than the more difficult options.
…no
I’d rather staple my forehead to a telephone pole before I ever think about using an emoji in a password. Those things are abominations!
👆
Out of curiosity, what makes you say so?
Edit: Oh. Did a “Wooosh” happen to me right now? Are you being ironic and referring to the XKCD thing about how to make a secure password using words in phrases?
I think OP is conflating the use of emojis in passwords with the use of emojis by the general public.
Yes, it’s annoying to read stuff like “Hi 😃😃😃😃 I am Bob ♥️♥️♥️😎😎😎😎,” but that doesn’t mean that using them in passwords is a bad idea.
Well they have to be the same on different devices, like you log in to Lemmy on your PC and then on your phone. Also sometimes it seems the icons change, or there are new ones and maybe old ones are removed …
Emojis are standardized. They may look different in different devices, but the code of a “raised hands” emoji will always be the same, just like the code for A is always the same.
Removing old ones could be a problem, though.
Just like a gun is standardized to a water gun for some and a real gun for others?
Edit: I get your point, ita just if you memorize your password with emoji icons different icons would screw up your tries to log in
If you search for “gun” in your device when selecting an emoji, just pick whatever comes up. Done.
What if I am using a device that doesn’t support emojis? wouldn’t I need to learn the code for each emoji I have used in a password?
That’s a good question, and yeah, I guess you’d either avoid using emojis or accept the fact that they’re not universally supported.
Having said that, some people use non-ascii characters in their passwords, such as Œ which is a valid letter in some alphabets, and they’d run onto the same issue.
Yes
But how many modern devices don’t somehow support emojis though?
And how many of those you need to enter a password in?
Or that “hi 😊 I’m Bob” doesn’t express a (subtly) different meaning to “hi, I’m Bob”
.
I can agree with you. I’m curious what these reasons are, though?
Because they’re a major pain to type, except for the most common ones?
Good luck logging in a Smart TV.
Security Experts probably don't log into smart tvs all that often. Just a guess.
Sorta how car designers never have to actually fix cars.
But why wouldn’t it make sense to need to pull the cab off of a pickup truck to change the spark plugs?
That’s true for all car designers. You’re referring to the shitty designers, though.
Architects don’t get involved in the actual construction of a building either.
Oh they do. They come to tell you that the safety protocols you’ve implemented are interfering with their design.
They’d prefer it if it looked pretty and then just fell down and light breeze thank you very much
All the apps I’ve used recently use QR codes (or similar measures, like a sync code) that has you log in from the phone, so it should work anyway!
But not all apps, sadly, I just experimented it with Crunchyroll, and saw my dad struggling with a crappy app called Vix yesterday.
Fair enough. I’m mostly using “big ones” plus SmartTube.
In my experience the only one that works with any degree of reliability is YouTube. Even the Netflix one can be fairly intermittent.
Also a lot in the time you’ll go away and the hotel you’re in will have a smart TV and the software was last updated in 2011 so you have to sign in on the device.
Logging in a smart tv? Lol!
Scan the QR code and log in on your phone. Oooh scary
I’ve had to manually type in passwords on a TV several times in the last few months because sometimes the login for even the biggest brand-name services is just broken.
What’s up with all the hate for emojis lmao
Back in my day we only had 95 printable characters, and that’s the way we liked it! /s
Antisocial people.
It was the same on Reddit. All of the people who despised emojis were often posting in really cringe and incel related subs.
My use of emojis sky rocketed after I started dating. They are fun and convey emotion really well.
🤣
🍆✊💦🍳
😔
.
If I’m going to be relaying through to people strictly over text as much as I do these days, I better have a way to articulate it with the right emotional range to match my sparkling personality ✨
I’m convinced emojis are what has been missing from language for a long time. They are great way to portray emotions through texts, which otherwise could not be achieved.
This way there is a difference between:
“You are so amazing 😁👍”
and
"You are so amazing 🙄 "
Greatest put down ever.
💀💀💀💀💀💀💀🗿🗿🗿🗿🗿🗿🗿🚣👍👍👍👍👍👍🔥🔥🔥🔥🔥🔥🔥 sigma
the emojis and text above are a part of the reason
Whats the boat rowing used for typically ?
Traversing water using manual propulsion
Don’t act like you don’t already know, pervert.
😠 I hate it when people do that because the emoji don’t mean anything. Like I can use a single emoji to actually relay some information but just putting a bunch of them doesn’t do anything.
well that just sounds like you don’t like immature content/people
People who use them tend to spam the hell out of them. Like, 8 of the same emoji. And they use them every other sentence. It’s obnoxious, you only need one or two to get the point across.
They didn’t exist yet when I was an early teenager, all we had were emoticons that might be replaced by images by the forum software, so of course I think they’re stupid /s
Without sarcasm, it is a good thing we have standardized symbols now and don’t have to implement emoticon replacement into forum or chat or social media software. If only because half of such implementations replaced any occurrence of the number 8 followed by a closing parenthesis with 😎 even when that wasn’t the intended meaning (one can think of many other times one would end a parenthetical statement with the number 8).
Security expert reveals surprising way to induce headaches
Security experts don’t actually have to work on corporate IT systems.
So you’ve set your password to contain a 😇 have you?
Ok so how are you going to type it on this desktop computer keyboard here…
Yeah I thought not.
I’ll just go reset your password shall I?
win+.
(works on kde too afaik…?)I’ll let you be in charge of teaching them that. I literally had to talk someone through how to type an exclamation mark today, I don’t think they’re going to handle the extended Unicode character set.
Can you write any unicode cahracter? Gotta make passwords in cuneiform
Wingdings for life baby!
Wingdings is a font.
That was a joke. There now we both said something that was plainly obvious.
(👁 ͜ʖ👁) 𓂺
-The most secure password
Sounds great where it works but I’m sure most systems would reject an emoji or make you type out some overly complex password in addition to your emoji.
Honestly you’d be surprised how many places it just works magically. I was surprised to find that Office365 users could use emojis in names for Microsoft Teams which had no problem syncing those accounts back to an on-prem Active Directory. You can use emojis to name a whole SQL database, let alone users/passwords on it.
I keep wondering if I need to figure out how to turn that off but it hasn’t caused any problems. It’s definitely sketchy looking though when you see a bunch of normal usernames and then suddenly one is just ten snowman emojis in a row.
Emojis are just a string of special characters that get recognised and replaced by an image anyway. It is the same as using those special characters separately.
It’s all just Unicode so in theory a password system shouldn’t think that emoji or any more interesting than any other character. To a computer the letter B and the emoji ✈️ equivalent in that they’re both just normal characters that one can type.
Sort of, emoji are usually treated as two or more normal characters so ✈️ might be equivalent to BB. But the basic point is the same.
It should work reasonably well in password systems that hash the password from a UTF-8 encoding… Which should be most things really. If the system is trying to process everything with ASCII, maybe not. It might even appear to work but get converted to some other character (which is kind of the worst case)… That should be rare in web applications though
Oh for fuck’s sake, just turn on 2FA
Until you get to a prompt that doesn’t support unicode.
Meanwhile, Android not even wanting to accept accent is painfull.
That doesn’t sound right. Maybe non Google Android does that, but no such issue on Pixel.
or just use special characters of languages like: ą, ę, ø, č
Do you have trouble on physical keyboards?
Programmable or modded keyboard with qmk and you can physical key some pretty wacky stuff if you really wanted to.
Or en.m.wikipedia.org/wiki/Zero-width_space ? But seriously, just use unique random strings likely through a password manager.
Just use longer passwords?
What’s do you think is a good length? I think it has to be at least 10 but over 15 is much better.
Idk exactly how accurate this is but seems valid
<img alt="" src="https://lemmy.world/pictrs/image/fa3e6401-6c6a-47c2-b491-9f69fd8659df.jpeg">
The colors on that are kinda confusing. 6tn years is yellow, but 2k years is green?
It seems like the designer didn’t notice the error
So those annoying as hell “6 character, lowercase and uppercase letters, special character” passwords give a full 6 minutes of protection. Good to know.
For 6 characters is 5 seconds. I like the idea of using passphrases that mix casing with symbols but still they look like like real words, it make easier to write them down when you need them and they can be very long, so they are quite secure, of course using a password manager to be able to manage them.
Damn, even worse than I thought. I wish someone would show this to the people who set those ridiculous password requirements.
I was glad when my work did away with monthly password changes and went with 15 characters minimum as the only requirement.
Why is 1,000 years yellow in that graph?
If a password can’t be broke in 1,000 years it is utterly unbreakable in any effective sense of the term. No one’s going to run the program for a thousand years because even if they did it wouldn’t be relevant at the end of the process.
Hell even 51 years is pushing it.
Well, the rate passwords can be tested at now may not always be the rate passwords can be tested at later. Computers were, at one point, growing exponentially faster in terms of processing power. There are still several emerging technologies out there that could cause significant speed-ups.
It’s certainly better to future-proof your passwords.
I wonder if this assumes the cracker knows how long etc the password is when they start cracking.
I always make my passwords “a” because I figure they’ll start cracking attempts at 5 characters 😁
In EVE Online that’s called ‘getting underneath the guns’. 🎓
Rookie numbers. Max out the character limit.
Seriously tho: go for at least 80 bit randomized characters. If it’s something you have to type, use a couple of random words. Longer passwords are exponentially more secure.
All I can picture in my head is Matthew mcconaughey telling Leonardo DiCaprio he needs to masturbate more
It depends on how the password is stored / KDF used (what type of hash, salting, bcrypt, etc).
Judge for yourself if it’s an old website or old piece of software that might use (god forbid) MD5. Since one would not normally know that, I’d go with 20 (good, cryptographically) randomly generated upper/lower/digits if using a password manager, or 40ish characters passphrase if you need to remember and/or easily type it. Add some punctuation / special chars (spaces, commas, dots, paranthesis, etc) if it’s an important masterkey (ie password manager key, encrypted container, etc) and you have decent typing skills.
Some shitty sites / routers don’t accept certain special characters hence go with upper/lower/digits as standard but use longer lengths (if the shitty site allows you and doesn’t limit that too). Limits to what a password should contain and/or length limits would be a sign of lazy programming and poor password management, so treat them as unsecure from the get-go (yes, even big names like Oracle have piss-poor security or lazy implementation). Good programming nowdays shouldn’t have those limits, as user input sanitization / injection protection exists, and hash functions have a fixed length no matter what the input length is.
Also very important, don’t reuse passwords for online accounts. Hence a password manager remembering them for you. There are still websites storing passwords in plain text. You wouldn’t want your local pizza hut know or leak your email password by being hacked.
.
.
Yeah, I know, you said
Grab a sentence you know well.
Pick just the first letter of each word.
It will look like it’s random - for example “I like my lemmy only with beans and bacon” becomes “ilmlowbab” - and it comes from a far vaster possibility space (ever possible sentence and it need not even make sense) than that of “words in the English language and derived words” so it’s a lot harder to try to crack with a dictionary attack.
Also it works in everything that takes ASCII charactes (i.e. everything but numeric only pin codes).
A nice system
I disagree with them.
white large square
⬜ for example. Emojipedia shows what that emoji looks like on 26 different vendors. Some are pure white, some are shades are grey, and then there’s Microsoft who in its usual infinite wisdom decided it should be purple.large yellow square
🟨 is a tossup between actually yellow and orange. This issue is also exacerbated with different displays displaying colours differently. Factors such as color accuracy, viewing angle, brightness affect how you perceive colour.<img alt="" src="https://lemmy.world/pictrs/image/4300511f-3280-480f-9b33-07a24f8974cf.png">
This also extends to face emojis.
grinning face with big eyes
(Emojipedia link) isn’t that easy to tell apart fromgrinning eyes
(Emojipedia link)shaking face
🫨. Problem is, Windows’ emoji pickerWin
+.
(period) doesn’t have it. Trying to login on a friends phone that’s still on iOS 15 or Android 12, beforeshaking face
came out? Enjoy manually copy/pasting the emoji from Emojipedia.correct horse battery staple on the other hand looks the same on all devices.
No. There’s only one piece of advice that should be given to users in 2023 about how to make their passwords stronger:
Use a password manager
Just use 32 character random alphanumeric passwords that are unique for each site (you can do more like 12-16 characters if you’ll ever need to enter manually).
This is it. Stop trying to create clever passwords that you can remember. You aren’t as uniquely creative as you think and there’s been bodies of research into how the various things people do to create passwords that look secure can reduce the generation space so much that they become considerably easier to crack with an intelligent algorithm.
Test your ability to be unpredictable
I got it to a stable 54% by using an
algorithm
typing f or d for consonants and vowels respectively in sentences I thought up, switching languages regularly,
and a stable 56% by just typing randomly and adjusting my patterns based on the colored output, which might have skewed my results. Certainly a very cool tool, I also liked the explanation linked on the page!
How many websites/services don’t support such lengthy passwords these days?
Few, but those that don’t you can just shorten the length generated.
Long time ago a friend of mine used a set of key press to generate a smiley face to put in his bios which ended up in a situation where he was not able to type in the same smiley face into the password prompt. I had to teach him to reset his bios battery to get back into the bios.
You’re a good friend
For petty services where you don’t want to have to break out the password manager, try making your own mental salted hash.
Pick four long words at random. Assign each of these to the four quadrants of the alphabet.
A-F - Equipment
G-M - Triumphant
N-S - Sampling
U-Z - Fatigued
Pick one number:
4
Now, take the first letter of the service that the password is for, and that selects your quadrant word. Take the number of letters in the service and multiply it against your number. Take the last letter of the service, and on your querty keyboard, move all the way to the right of thst line to select the first symbol there. Thats your unique password thats salted with yo ur personal words and number.
Facebook = Equipment32:
Lemmy = Triumphant20{
Pizza Hut = Sampling36{
If you want more security for these petty services, use longer words, bigger number, or use some other metric, Tweak the algorithm to make it unique to you. Maybe capitalize a middle letter in your salt word based on the length of the service name. Maybe add the first letter of the colour of the service logo to the password, EG
Facebook = Equipment32:B
Lemmy = Triumphant20{T
Pizza Hut = Sampling36{R
Petty services I would consider to be anything that’s not super critical, and is at a higher likelyhood of breaching my shit.
For banks, primary emails, or government services, use a more complex algorithm or a random string of chars from your password manager.
too short, for all that effort just use a sentence with a symbol and a number.
FacebookCanGoToHell!123 is more secure and easy to remember
Youre going to memorize a unique sentence for each service?
A method like this allows you to memorize only 4 words of arbitrary length, a number, and a simple algorthm to yield unique passwords for each service.
Also you can’t really “forget” a password, because it’s connected to the name of the site. Very clever
You can also add a standard phrase to all of them that is shared between them all just to make them more complex
Equipment32:thisismypassword
yes, it is what I do now. there was a time when people memorized 10, 15 phone numbers.
Yeah putting the name of the service in the passphrase is actually pretty secure, unless the rest of the password is like “thisisapasswordforFACEBOOK” cause then one password gets leaked and the rest can be inferred.
Just come up with one strong password (see xkcd.com/936/) for your password manager and use randomly generated passwords for everything else. There’s no reason to manually compute a hash every time you sign up for a service.
Also, for a non-remembering solution, use a security key with your password manager, the kind that plugs into USB and you have to tap a button to authenticate. Then you can generate a true random password and store it somewhere safe as a backup, and mainly use the key for day to day.
what about when you’re on your phone?
Many security keys have NFC, or if you’re on a modern phone, you can use USB type C (Yubikey 5C)
Authentication app is another option. I believe some password managers can be set up to take the master password once per device and then accept authenticator codes to unlock for each subsequent time.
Or, since your phone is probably a lot more locked down than your computer, almost every modern phone since like the days of the iPhone 5S has a cryptographic TPM/secure enclave in the processor while the fact that not every computer has one was a major sore spot in Windows 11 compatibility, it might also be acceptable to just leave the password manager unlocked on your phone all the time, depending on your threat model. Assuming your phone is both encrypted and password protected and you trust the OS to implement both securely, the pin on your phone works more like the pin on your credit card than a traditional password login on a non-encrypted non-TPM computer, so even if a bad actor physically had your phone, it would be very hard to actually extract data out of it without the passcode (assuming it’s just your garden variety cybercriminal and not the CIA or something), which would serve as your master password in that case. Hardware security features can also resist brute force attacks where someone clones your hard drive and hooks it up to their own computer to try and guess the encryption password without the wrong entry time delays slowing them down, a secure enclave will actually enforce the time delays with no easy bypass and can also be set to wipe the phone if you get the passcode wrong too many times.
Phone apps are also almost entirely sandboxed from each other and can’t directly access other apps’ data, so the risk of a malicious program reading the password manager’s cache or database is also far lower than most desktop operating systems.
The problem with using hash schemes like this is that when your password is leaked you can’t easily rotate the password.
Not to mention if you suddenly developed amnesia or dementia
This is what got me using a password manager. I didn’t want to trust a password manager because it felt like they would be highly targeted and one vulnerability would reveal everything. And let’s be honest they still are the same.
So I had my own scheme for generating passwords. I made myself a script that I could use on my phone and PC. It worked beautifully and effortlessly until occasionally a service would force me to choose a new password. When this started happening I made a new scheme for generating passwords and made a new script. When it first happened it was still reasonably easy because there was only one service I had to use the alternative. It started to become more difficult the more services asked for a new password.
I used my own system for several years until I had enough with trying to remember which services used the alternative scheme and wondered when I’d have to make a third scheme. And if I did then the mental complexity would significantly increase.
Interestingly only a couple of services publicly announced they had been hacked and none of my passwords have ever appeared on haveibeenpwned. So I wonder why these services asked for a new password and if they had been attacked why they chose not to announce it.
Completely useless from many sources where I have to rely on a keyboard for entering passwords.
Most modern OSes feature emoji pickers though
Mac os and windows? I haven’t seen it on my Mac but maybe on windows? Those are pretty modern. I haven’t seen it in Linux either now that I think of it.
there is a “Characters” app in Gnome that lets you pick emojis
win+. will bring it up in windows
Yup, macOS has one too.
Ctrl + ; should bring up an emoji picker in Linux when you have focused a text field
What part of the word “Keyboard” did you not understand?
Idk, mine can. docs.qmk.fm/#/feature_unicode
As it said in the document: With a little help from your OS. So I want to log into lemm.ee from another persons computer. I do have not my own keyboard, I neither have my additional drivers or extensions or whatever. Oops. No login.
Just use a password manager, goddamn.
But only save emojis in it lol
Two of my colleagues still use locally stored plaintext for individual work credentials, despite having been shown where the password manager is. Both have accessed their files in front of me. If it’s not in those files it’s saved in the browser (because convenience is a hell of a drug). Now you start to see why discrete managers have a hard time, even amongst technology workers.
Yeah, you can lead a horse to water, and whatnot.
As a software developer who has worked with a lot of symbols and emoji… PLEASE DON’T DO THIS.
Software doesn’t all handle these symbols the same way, and without tech knowledge (or even with) , it’s very possible to not be able to log in easily. I’m kinda drunk rn, but I’ll try to explain as simply as I can…
For example… skintone emojis are actually two characters, a face and a skin tone modifier. I think those ones are always two characters but some of these “multi-char” characters can be normalized into a single character. But not everyone handles this the same way. For example, Safari might normalize the emoji, but Firefox might treat it as two separate characters… And this would probably make your password not match. But basically… text has lots of edge cases; I’d advise to use normal passwords please (also maybe a password manager)
Was gonna say… you’re relying on the consistency of external emoji handlers that you don’t control. Ascii emojis are one thing.
Is my explaintion ok? The hard kombucha was… harder than I anticipated
It was pretty normal lol. Basically everything between the visual of an emoji and what “text” is entered is not in your control. So it’s great for security but not in practice as a password. What brand was the kombucha I want some.
I didn’t realize NYC has a physical Juneshine location. So I got a flight… and a Juneshine cocktail…
Thanks for the feedback! I’ll be sure to use non-printing characters instead of emojis for my passwords! (They can’t guess it if it’s invisible right?)
In all seriousness, why are people so adverse to using password managers? People are plenty willing to use the browsers built-in “remind my password” instead of a proper password solution such as bitwarden… And they come up with such “hacks” just to avoid using a proper length password.