Comment by dlitz
10 years ago
Well, really, it should just work or OSX should prevent this from happening in the first place.
Emoji are common among non-technical users---exactly the market that Apple supposedly caters to---and why would anyone expect a non-technical user to know that using emoji in a password would be considered "crazy", without knowing the extensive legacy of pre-Unicode systems, the location of many emoji outside the Basic Multilingual Plane, their relatively recent inclusion in Unicode 8.0, etc etc.?
It is a mistake to blame the user for something like this.
Not trying to excuse OSX's behaviour, but non-technical users are the ones who use passwords like: abcdef, 123456, password123, etc.
In fact, using such characters (emojis, other unicode characters, etc.) in passwords should be considered a secure practice.
Technical users use Diceware because its the best way for the human mind to capture entropy.
https://en.wikipedia.org/wiki/Diceware
Its the non-technical users who try the silly stuff. A diceware password with 4 words is 51-bits of entropy. 5 Words gets you 64-bits of entropy.
For example, if you remember that "U+2708" is the Airplane emoji, why not just type the string "U2708" on the end of the password (ex: MyPasswordU2708). The longer password is going to add provably the same amount of entropy, and will work with virtually any system.
The old bits of entropy count is based on extended ASCII. In reality we could count UFT-8 code points, with each code point having 1/#code_point entropy.
As a brute force guesser can throw UTF-8 chars instead of attempting to rebuild emoji from their underlying ASCII string.
6 replies →
Technical users that had never heard of Diceware before, because it's obscure, don't use it :)
If you read more of the answers, another poster says that this was fixed in El Cap by preventing the use of such characters in passwords.