Comment by notfoss
10 years ago
Not trying to excuse OSX's behaviour, but non-technical users are the ones who use passwords like: abcdef, 123456, password123, etc.
In fact, using such characters (emojis, other unicode characters, etc.) in passwords should be considered a secure practice.
Technical users use Diceware because its the best way for the human mind to capture entropy.
https://en.wikipedia.org/wiki/Diceware
Its the non-technical users who try the silly stuff. A diceware password with 4 words is 51-bits of entropy. 5 Words gets you 64-bits of entropy.
For example, if you remember that "U+2708" is the Airplane emoji, why not just type the string "U2708" on the end of the password (ex: MyPasswordU2708). The longer password is going to add provably the same amount of entropy, and will work with virtually any system.
The old bits of entropy count is based on extended ASCII. In reality we could count UFT-8 code points, with each code point having 1/#code_point entropy.
As a brute force guesser can throw UTF-8 chars instead of attempting to rebuild emoji from their underlying ASCII string.
"with each code point having 1/#code_point entropy."
That requires that users be uniformly-randomly selecting Unicode characters. There's a number of problems with this idea, most notably that the resulting password would have an insanely high "difficulty to type"/"bit of entropy" ratio. By the time you're through your third keyboard mode switch or third character typed in via generic Unicode hex entry, a 4-word passphrase user already has logged in and opened their browser.
Mixing in a single Unicode character into your password might be sorta clever, but you probably shouldn't rely on getting a lot more "bits" out of it.
5 replies →
Technical users that had never heard of Diceware before, because it's obscure, don't use it :)