You can totally use emojis as passwords. You can probably even make this a policy at your company.
Edit: I thought this was an obvious enough joke, but just to clear things up: Only do this if you hate your company and everyone working there.
this post was submitted on 01 Oct 2023
380 points (93.8% liked)
Linux
47270 readers
2079 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
For somewhat more realistic numbers:
According to minerstat.com, an NVidia RTX 4090 has a hashrate of 118.07MH/s. This is 118.07 Megahashes per second, or 118.070.000 hashes per second. For a password with only 8 lowercase letters (208.827.064.576 combinations), it would take an RTX 4090 approximately 1769 seconds (or ~30 minutes) to go through all possible combinations. For an 8 character upper+lower+numbers password (218340105584896 combinations) it would take 1849243 seconds, or 21.4 days.
For an 8 emoji password (32482071647592311234920185856 combinations), it would take 275.108.593.610.504.896.512 seconds, or 8.723.636.276.335 years.
Lets say a magic prediction algorithm reduces the number of possible combinations in each password to 1 out of every 1 million previously possible combinations. 8 lowercase letters would be cracked instantly, while an 8 emoji password would still take 8.723.636 years.
These statistics aren't entirely correct. There are 3664 emoji, so an 8 emoji password would take ½*3664^8 attempts to crack on average, or 1.6 * 10^28 attempts or about 10^20 seconds on a single 4070. That's ignoring the fact emoji are more than one single byte; at byte level, an 8 emoji password is probably 24 bytes long, but it can be much longer.
Now, this number could be reduced by a dictionary attack (⚽ doesn't get combined with gender or skin tone, generally) and emoji like 🏴 can increase the number (🏴 is one glyph but encoded in 28 bytes!).
In practice, though, I don't think people would be able to remember whether they used 💙 or 🩵. That makes it rather unpractical for normal people to use. Also, software isn't generally tested for this. The Steam Deck had a bug on release where it would crash and reboot if you opened up the emoji selection screen in the password field for initial setup, for example.
Just adding a single emoji to a password would probably make it uncrackable already, because brute forcing tools like John the Ripper don't include these unicode ranges by default. Then again, so does adding 𓂸.
The times I calculated were indeed going over every possible combination, it would take half as long to crack a password on average. Considering reducing the time to 1/1000000 still leaves you with an incomprehensibly large estimated timespan, dividing that by 2 doesn't do that much for making it brute-forceable.
I did note it was specifically for 8 emojis, not 8 characters or bytes.
And yes, it's very impractical and likely to break things. It's better and much easier to add extra letters, numbers, and symbols to your password rather than using emojis. Using a password manager is even better.
As you stated, a single unicode character would mean your password wouldn't be included with the potential options in almost all brute forcing tools. Whether you use 8 emojis or 1, your password likely won't get brute forced.
All of my "emoji password" numbers are if the attacker knows it's a password containing exactly 8 emojis, and nothing more. Adding a regular symbols+upper+lower+numbers 16 character password would make it even more impossible to brute force.