This story is over 5 years old.

The Problem with Emoji Passwords: Exactly the Same as Regular Passwords

Cybersecurity experts warn they could be just a vulnerable to our lazy habits.
Screengrab: Vimeo

Walking up to an ATM and keying in a pin that includes a poop emoji to take out cash is pretty much the millenial dream. But just because emoji password technology exists, doesn't mean it will ever catch on, and it definitely doesn't mean our password problems are solved, according to some cybersecurity experts.

Last week, UK-based technology company Intelligent Environments announced the world's first emoji-based password technology. The technology isn't being used outside of Intelligent Environments's own banking app just yet (don't expect your bank or Facebook to have already made the switch), but the company touted emoji passwords and pins as more secure and easier-to-remember than alphanumeric codes.


Because there are so many different symbols, there are 480 times more combinations of emojis than there are of numbers zero to nine. Technically, this should make things more secure and considering way too many of us still use passwords like 12345, it's high time we came up with some new solutions. Emojis are familiar, popular, and might even be easier to remember since we can associate an image with so many different thoughts and feelings.

But the cybersecurity experts I talked to weren't convinced that emojis are the answer to all our password problems.

"In the immediate term, there's going to be a huge degree of uniqueness because no one else is really doing it yet," Troy Hunt, a web security specialist, told me via Skype. "But three years from now, we could just descend into the same problems we have now. The suspicious part of me thinks people will gravitate toward common patterns."

If that were the case—say the most common pin was just four red heart emojis in a row—we'd be in the same boat as we are now: lots of people recycling weak, easy-to-crack passwords. Even if people were motivated enough to think of long, unique strings of emoji, they might have trouble remembering them. And if they can remember their random emoji passcode, they might not want to have to use a new one for every account.

Other cybersecurity experts say it's a moot point because the technology will never become widespread. Password expert Per Thorsheim, who founded the Passwords conference, pointed out that this isn't the first time image-based password technology has been introduced. Windows 8, for example, gave users the option of using a "picture password," where they could click or draw on an image instead of entering a password.


"It is an exotic idea, but I seriously doubt this will see any widespread adoption," Thorsheim said in an email. "Adopting technology such as this idea of using emojis would be considered an additional risk: it is untested, scientifically (perhaps) proven to be user friendly but not necessarily more secure."

Thorsheim predicted it will all but disappear within a year.

If the emojis aren't here to save us, what is? We seem to have a global problem with passwords. No matter how many experts tell us we're leaving ourselves vulnerable with our lazy, easy-to-crack passwords that we use for everything, we don't seem eager or willing to change. And as Hunt pointed out, even when we do take the time to come up with a good password, we have so many accounts that require logins now, it's impossible to keep them all in our head.

Hunt said he thinks the solution—at least for now—is password management systems, like LastPass. These systems allow users to store all of their passwords in an encrypted database. Users sign in using one master password and the app automatically enters their long, hard-to-remember passwords for every account. It allows users to create unique, long, complicated passwords for all their accounts (it will even generate them for you) without having to memorize them all.

But these systems aren't infallible either. If your master password is weak, all of your accounts become vulnerable, instead of just one. And the password management systems themselves can get compromised. In fact, LastPass got hacked just last week.

Hunt admitted that's "not a good look", but told me those kind of services are still the best bet we have.

"The way they encrypted their passwords means that it would be very hard for someone to get your information without having your master password," Hunt said, noting it was a less dramatic breach than some of the hacks we've seen against banks and credit card companies. When it comes to better passwords, Hunt is putting his money on managers for now.

"Password managers are the best mousetrap that we've got at the moment," he said.