Does adding Emoji to passwords make them more secure️️
-
So assuming some things:
- All password inputs support emoji insertions (without validation failure)
- All apps properly hash passwords using the binary and not some other weird thing
- All OS systems support it
Would adding emoji make passwords more secure? Given there are something like four thousand emoji characters. I would think that it would drastically increase the difficulty of brute forcing passwords.
Any thoughts?
-
s3gunzel shouldn't a hash just use the bytes though? I feel like any password input that converts non-ascii characters into ASCII would be bad. Like really bad. Because after all, how would those password inputs handle something like Japanese or Chinese?
I know at work we just use the raw bytes of the password for hashing. Languages like C# natively support UTF-8 in strings as does JS and others.
-
tankerkiller125 said in Does adding Emoji to passwords make them more secure️️:
shouldn't a hash just use the bytes though?
It's still a form of plaintext.
The point is - you're not inherently any more secure because you use an emoji. Instead, therefore, of having a smiley face in the database, you've got \xF0\x9F\x98\x81 - and I suspect (without doing any real testing) that if you were to type it in plaintext, the database (and quite probably your web app as well) wouldn't be able to tell the difference between if it's meant to be a smiley or in plaintext.
-
s3gunzel said in Does adding Emoji to passwords make them more secure️️:
Instead, therefore, of having a smiley face in the database, you've got \xF0\x9F\x98\x81
Given that it should be hashed before it even hits the database I'd sure hope that it's hex by the time the database sees it.
In regards to web app knowing the difference, I did some testing and I can confirm that C# absolutely does see the Emoji differently than plaintext, and does generate an entirely different hash. I can't comment on any other languages though.
-
tankerkiller125 said in Does adding Emoji to passwords make them more secure️️:
Given that it should be hashed before it even hits the database I'd sure hope that it's hex by the time the database sees it.
Let's take hashing as implied, at this point.
tankerkiller125 said in Does adding Emoji to passwords make them more secure️️:
In regards to web app knowing the difference, I did some testing and I can confirm that C# absolutely does see the Emoji differently than plaintext, and does generate an entirely different hash.
Oh good, then maybe - and I hope this is the case - I'm wrong.