Fake “Unicode.” ↙️ @FakeUnicode ⚠Mixed Case Punishment⚠ೋೋೋೋೋೋೋೋೋೋೋೋೋೋೋೋ @ for 🔣 problems❓ೋೋೋೋೋೋೋೋೋೋೋೋೋೋೋೋ🍐💉🧛ೋೋೋೋೋೋೋೋೋೋೋೋೋೋೋೋ🤖canary:❗🤖ೋೋೋೋೋೋೋೋೋೋೋೋೋೋೋೋ Nov. 07, 2019 3 min read

Because it keeps coming up, how about a thread on Emoji in passwords. So we (and you) can link to it in the future.

Should they be allowed? For all practical purposes they can't not be. So, yes.

Should they be heavily warned against? Yes.

But why? Well...

First off, there are a lot of bad password policies out there. Mostly by services that probably store your password as plain text. The recent NIST recommendations suggest allowing Unicode, but normalized.  https://pages.nist.gov/800-63-3/sp800-63b.html 

This would normalize e + ¨ to ë, for example...

But there is no Emoji normalization:

Same emoji, on different platforms:
1⃣ 31-20e3 DIGIT ONE + COMBINING ENCLOSING KEYCAP
vs
1️⃣ 31-fe0f-20e3 DIGIT ONE + COMBINING ENCLOSING KEYCAP

👁‍🗨 1f441-200d-1f5e8 EYE IN SPEECH BUBBLE
vs
👁️‍🗨️ 1f441-fe0f-200d-1f5e8-fe0f EYE IN SPEECH BUBBLE

Also, there are overlapping variant forms, that vary by vendor and version.

™ 2122 (default text)
™︎ 2122-FE0E (force text)
™️ 2122-FE0F (force emoji)

🕴 1f574 (default emoji)
🕴︎ 1f574-FE0E (force text)
🕴️ 1f574-FE0F (force emoji)

And the emoji definitions can change at any time (like the Emoji 12.1 rushed release this quarter).

And some vendors just do whatever they want.

Emoji only on Windows: 🐱👤, 🖔

Emoji only on Samsung: ⚀⚁⚂⚃⚄⚅

"Emoji" are effectively impossible to disallow specifically.

It gets worse. Emoji have been removed. If you input 🤝🏽 in a password, and then get a new phone, you no longer have it on your keyboard.

Multi-person skin tones removed from RGI:

 https://emojipedia.org/wrestlers-type-3/ 
 https://emojipedia.org/handshake-type-3/ 

 http://unicode.org/Public/emoji/3.0/emoji-sequences.txt 
 http://unicode.org/Public/emoji/4.0/emoji-sequences.txt 

Also, general to all Unicode (kaomoji for example), your input method may vary depending on situation:  https://apple.stackexchange.com/questions/202143/i-included-emoji-in-my-password-and-now-i-cant-log-in-to-my-account-on-yosemite 

Another fun one. "🤷 1f937 SHRUG" was a female on practically all platforms until last week.  https://emojipedia.org/shrug/ 

Going forward, it will be gender neutral. To get the female variant you have to use:

🤷‍♀️ 1f937-200d-2640-fe0f WOMAN SHRUGGING

You can't just throw that at NFKD

To summarize:

The same emoji on different devices varies in the codepoints used.

The same emoji on the /same/ device, over time, varies in the codepoints used.

What even is an emoji??? The server just sees codepoints.

Allow them? Yes

WARN against them? Probably. ¯\_(ツ)_/¯

For some actual constructive advice, maybe something like roughly detecting emoji with the current data files [ http://unicode.org/Public/emoji/latest/ ] or with a maintained regex [ https://github.com/mathiasbynens/emoji-regex ], and update as needed.

Obviously useless for blocking emoji for the reasons stated. But

Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords:  https://tools.ietf.org/html/rfc8265  [via @ezzatron]. Tldr: NFC, fold spaces, forbid PUA.

Also see the Stability Policy (pretty useless for Emoji though).
 https://unicode.org/policies/stability_policy.html 

There are assumptions about Unicode you can make, that will never change, per the Stability Policy. Like the Private Use Area ranges.

But there are some things you can't take for granted.

Mongolian Vowel Separator has changed category twice.

Control > Space Separator > Control

Hmm, a discrepancy.

NIST [ https://pages.nist.gov/800-63-3/sp800-63b.html ] says: the verifier SHOULD apply the Normalization ... using either the NFKC or NFKD

IETF [ https://tools.ietf.org/html/rfc8265 ] says:
4. Passwords > 4.2.2. Enforcement > Unicode Normalization Form C (NFC) MUST be applied to all strings.

🤯

Need more reasons to avoid emoji passwords? Random old Android phone. Swiftkey enters password mode on <input type="password">, but still allows emoji input.

Using a never-before used Emoji results in it being saved in the recently/frequently used list.

What does your phone do?


You can follow @FakeUnicode.



Bookmark

____
Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.

Enjoy Threader? Sign up.

Threader is an independent project created by only two developers. The site gets 500,000+ visits a month and our iOS Twitter client was featured as an App of the Day by Apple. Running this space is expensive and time consuming. If you find Threader useful, please consider supporting us to make it a sustainable project.