Can using emojis make someone's password safer?
The difficulty of cracking a password is measured by the entropy in the process used to generate it. This can be measured for most passwords by taking the base-2 logarithm of the number of symbols raised to the power of the number of symbols used. For instance, a randomly-chosen password consisting of 8 lowercase letters has log2(26 ^ 8) ~ 38
bits of entropy in it.
This method can be extended to "correct horse battery staple"-style passwords. In this case, each word is itself a symbol, chosen from a dictionary of the 10,000 most common words. A password generated randomly this way would have log2(10,000 ^ 4) ~ 53
bits of entropy, and be significantly harder to break.
Hopefully by seeing these two examples, you can see that dramatically increasing the base has a far, far smaller effect on password entropy than modestly increasing the exponent. This is important, because by adding additional symbols to choose from (uppercase letters, digits, symbols, and at the extreme, non-Latin Unicode code points like emoji, RTL markers, kanji, etc.), you're increasing the base and not the exponent. This will generally make your password harder to crack, and may even make it more memorable to you, but increasing the length (and thus the exponent) will help even more.
For instance, by including lowercase letters (26), uppercase letters (26), digits (10), common symbols (32), and a handful of emoji (say 200, for example's sake), a random eight-character password will have log2(26 + 26 + 10 + 32 + 200) ^ 8) ~ 66
bits of entropy. On the other hand, simply doubling the length of a password consisting only of lowercase letters would result in a password with log2((26 ^ 16) ~ 75
bits of entropy, which is over five hundred times more difficult to crack.
While adding emoji can make a password stronger, it's not as effective as simply increasing the length. It won't turn a terrible password like Password15068
into something meaningfully more difficult to crack. And it simply won't work in many real-world password input fields (some will reject it outright, and worse, many others will silently ignore the character). Furthermore, a two-character password like will never be secure, for the simple reason that there are only a handful of emoji to choose from; even if you assume ten thousand of them, you're left with a password with only log2(10,000 ^ 2) ~ 27
bits of entropy.
Your best bet is to simply use a password manager. Humans are terrible at memorizing complex passwords, but computers are great at it. Password managers give you the benefit of strong, unique passwords for every site you visit and remove the weakest component from the chain: the human.
Update: I didn't make this clear in the original post, but linear increases in entropy represent exponential increases in difficulty to crack. A password with n
bits of entropy requires 2^(n-1)
operations on average to crack, so each time the entropy increases by one, the effort required to break the password doubles.
The purpose of complex passwords is to defend against brute force attacks. Unless you are being directly targeted by an attacker, it's likely that the attacker will just try easy passwords and permutations of them (where "easy" still covers tens of thousands of passwords), then move onto someone else. Those easy passwords are usually based on dictionaries of common (pass)words, and not just trying every possible combination of characters. At the moment, because almost nobody uses emojis in their passwords, using them is likely to make your password unique and therefore incredibly unlikely to be cracked (as long as it's stored in a remotely secure way), simply because it's obscure. Even if an attacker did add emojis to their dictionary, there are enough emojis in unicode that, unless you pick something as obvious as ☺, it would still be stronger than most other characters that you might put in your password. So yes, emojis do make your password safer.
However, if you do include an emoji, that doesn't mean that you can just not follow other password guidelines, particularly using a different password on each site. There are some sites that, against all best practices, store users' passwords in plain text or a format that can be converted to plain text. If you used the same password everywhere and one of those sites experienced a security breach, that would make the benefit of including an emoji in that password be precisely zero, because the attacker can now just log into other sites.
Another thing is say I use this emoji: this generates to this code
xn--ss8h
so would the password "Password" be read as 9 letters/nums? or 17?
Unless the service that your password is for is doing weird things, it would be 9 or 13 characters, depending on the attack used. The xn-ss8h
is just a representation of that character to allow it to be used in things like URLs, whereas in reality it is just a number. In hex, that number is 0xF09F92B0
, so if an attacker was determined to get your password, they would either brute force it by trying every character (including ), or they would try it byte by byte (in which case it's 0xF0
, 0x9F
, 0x92
, 0xB0
).