Why you should (not) use Emoji in your passwords

Last week I launched EmojiKey, a product that allows to type Emojis on laptop/desktop as easy as typing letters.

When Chris Messina wondered how many services allow Emojis in passwords, I decided to check it and here’s what I learned.

Well, the first thing I tried is adding an Emoji to my login password for my Mac. I found myself locked out of my computer immediately 😊. Since not much people did it before, even senior advisors from Apple Support didn’t really know how to approach this issue. It made me even more curious to check where Emoji-support in passwords currently stands.

Couple of month ago Wired published an article called “Maybe Emoji Passcodes Aren’t Good Idea” and wrote:

Traditional computers lack a convenient input system for emoji — one day everyone will have emoji keyboards, but that day is not today.

That’s exactly the problem I solved with EmojiKey. So now I just had to check if the the rest of the world (operation systems, browsers, password tools and websites) support Emoji passwords.

Two reasons why using Emojis in your password is a good idea

Easier to remember

Emoji Passcode concept

“Neural correlates of the episodic encoding of pictures and words” research concludes:

“A striking characteristic of human memory is that pictures are remembered better than words.”

We remember visual information quicker and better comparing to text. Intellegent Environments that created Emoji Passcode (on the video above) concept are saying:

Memory expert Tony Buzan, and inventor of the Mind Map technique, said: “The Emoji Passcode plays to humans’ extraordinary ability to remember pictures, which is anchored in our evolutionary history. We remember more information when it’s in pictorial form […]”

More secure

Comparison of password complexity quiality by Password Assistant, a Mac OS built-in tool.

Right now very few hackers assume that you have an Emoji in your password. They are not including Emojis in brute-force vocabularies which reduces your potential to be hacked tremendously.

A password with just two Emojis is considered more secure then two words (7 letters combined with a capital letter).

Obviously it will change when using Emojis in passwords will become popular. But still, using even a single Emoji in addition to a characters or/and numbers makes the range of possible passwords wider, which means it becomes harder to hack.

PasswordMeter considers a combination of 5 Emojis as a highly strong password.

PasswordMeter is an online tool that gives a score for how hard a password is for hacking. Here are some examples of passwords scores:

• 4 (single number) — 3%
• $ (single character) — 10%
• ☺️ (single Emoji)— 20%
• T4 (combination of letter and number) — 14%
• ☺️✌️ (combination of two Emojis) — 44%

As you can see once you’re using even a single Emoji, your password becomes much more secure.

What is the best way to type Emojis on Mac?

Characters window

You can open this window by going to Edit -> Emoji & Symbols or pressing Cmd+Ctrl+Space.

This is the native solution Apple provides for inserting Emojis. And it’s terrible. Mac OS treats Emoji symbols not as something that is used constantly as a way of people to communicate, but as a special character, on the same level as “∰” or “∑”.

This way works for typing passwords but not comfortable for a daily use of Emojis.

Auto-replacement

System Preferences -> Keyboard -> Text

Mac OS allows automatically to replace a sepcific text or characters that are typed with another phrase. So you can define that every time you type “QQQ” it will be replaced with “😊”.

This way doesn’t work for passwords but handy for using in chats or emails. If you’re using Windows you can use AutoText for auto-replacements.

“Unicode Hex Input” keyboard layout

This native keyboard is used for typing special characters by using it’s Unicode Hex code. In order to type an Emoji you’ll have to use UTF-16 Unicode Hex format. It means that to insert “😊” you’ll have to press Alt key and type “d83dde0a”. Obviously it’s too complicated both for passwords and chatting.

Custom keyboard layouts 💪

This is the most effective way of typing emojis I found so far. It doesn’t take you out of the context while typing and works in every place in every app across Mac OS.

Keyboard layout I built using Ukelele

I built custom keyboard layouts for languages I’m using on my Mac and now I’m able to type Emojis pressing Option + Shift + the relevant key. No need to change language layour or open additional windows.

You can find English, Hebrew and Russian layots that include Emojis here. (Let me know if you need additional languages).

Who supports Emoji-passwords?

Mac OS user password

Mac OS allows you to set an Emoji-password. But the login screen has only native keyboards, no special characters window, no auto replacements. That’s the reason I couldn’t access my Mac for two days as I mentioned at the beginning of the article.

The only way to type an Emoji here is using “Unicode Hex Input” keyboard layout. You’ll have to type something like “d83dde0a” for every Emoji you use. It would make your password secure but IMO it doens’t worth the effort.

Keychain

KeyChain is storing Emoji-passwords perfectly which means that once you’re able to create a password for an online service that includes Emoji, KeyChain will take care of remembering and entering it in future.

Safari

iOS doens’t allow to switch to Emoji keyboard when you’re typing in password field, but allows to copy-paste it.

Safari remembers Emoji passwords perfectly so you’ll have to use the copy-paste technique only once when you login/register on mobile.

iOS Passcode

Most of iPhone users are using a 4-digits “Simple Passcode”. Turning off this feature allows you to create a password with letters and characters. Unfortunately exacly as in Safari the Emoji keyboard is unavailable here and using copy-paste won’t work as well.

Social networks and email services

I tried to create accounts on Gmail, Facebook, Outlook, iCloud (the web-interface) and all of them don’t allow using Emojis in the password.

Developer websites

Less mainstream products with a tech-savvy audience like Parse, Quora, Twilio, HN, DN, StackExchange, StackOverflow, Slack (+ Twitter) are handling Emoji-passwords perfectly.

Developers are always more likey to be early adopters, so if you think about it, this is exactly the kind of services you would expect doing something a little bit more innovative and geeky 👍.

So what should you do?

Try using Emojis when you’re creating new accounts on web-services. If it won’t work you’ll understand it immediately on the same page, so won’t waste any time. If it works, KeyChain will take care of remembering it.

Don’t use Emoji-passwords for your Mac accounts.

Allow using Emoji passwords in your product. Additionaly to improving your users security it might be a cool PR-move, especially if your audience is mostly teenagers.

Follow me on Twitter. Thanks to Max for some technical help in the research.