You are viewing a single thread.
View all comments
179 points

Emojis are known to break systems in certain circumstances due to the way they’re interpreted in certain character sets.

I guarantee people doing this will not only lock out their own accounts, but may even freeze some authentication servers.

https://www.pcmag.com/news/want-to-brick-an-iphone-send-some-emojis

https://www.itechpost.com/articles/75762/20170119/brick-iphone-using-emojis-plus-tricks-dont-know.htm

permalink
report
reply
49 points
*

The website should feed your password straight into a well known hashing algorithm or key derivation function that has undergone a decade or more of careful scrutiny, without any other processing. The output will usually be a fixed length base64 or hex string.

There’s a short list of about three options that are currently considered acceptable, and a few more are probably fine but are a little too easy to crack these days (e.g. anything that shares the same math as bitcoin… what if someone throws a mining datacentre at your password?)

If the site breaks, maybe you don’t to be a customer of that service.

permalink
report
parent
reply
19 points

Can you still log in to wellsfargo accounts using the T9 translation of your password?

permalink
report
parent
reply
8 points

make one account with emoji password to test their system, if it break, good, go create hour account somewhere else

permalink
report
parent
reply
6 points

It’s not the processing on the server that’s the problem. To reach the server the password needs to go through several layers of character encoding, if any of them fails the server will receive something different from what you meant. And when you try to login from another device and the layers will be different you’ll effectively be sending a different password.

permalink
report
parent
reply
4 points

The same character encoding that would break emoji would break a significant portion of the words names, so if your system can’t handle it, then you deserve all the trouble that you run into.

Unicode isn’t that hard.

permalink
report
parent
reply
0 points

It’s not the 90s anymore.

permalink
report
parent
reply
28 points
*

auth servers breaking from emojis would be hilarious, pretty sure that’s why older auth servers only allow certain symbols in passwords

permalink
report
parent
reply
35 points

“Your password ‘🤣umådbrø⁉️’ is breaking our server. Please change it.”

permalink
report
parent
reply
9 points

“Of course. What is the server’s root password?”

permalink
report
parent
reply
13 points

If some auth server breaks because I put emojis in my password then that’s right and deserved

permalink
report
parent
reply
6 points

Sounds like a crappy implementation of the authentication server then, and the sysadmin deserves a paddlin’ for not stripping non-UTF characters (or making sure they work).

My problem with using emojis as part of the password would rather be that while I might be able to enter them on my personal Android phone using the exact keyboard app I have installed right now, I might find myself struggling on a desktop computer or any other phone that doesn’t have this exact keyboard installed. After all, the graphical representation of the same emoji might look different there, and there is a chance I couldn’t even recognize it.

So if anything, I’d say use a non-UTF keyboard like Thai or Chinese, but then a standard character in that specific type. Keyboards layout can be installed across devices and are fully standardized, even if the same character looks slightly different.

permalink
report
parent
reply
17 points

Stripping characters from passwords, great idea! Right up there with truncating passwords that are too long.

permalink
report
parent
reply
-5 points
Deleted by creator
permalink
report
parent
reply
3 points

also some OSKs put whitespaces after inserting an emoji, some doesn’t. there’s no unified emoji input method yet.

permalink
report
parent
reply
2 points

There’s no such thing as a non-UTF8 character. You mean non-UTF8 bytes? If a system sees those, it should reject the entire input, not try to patch it up.

permalink
report
parent
reply
4 points
*

and there are many trash implementations that dont recognise something like :emoticon: as shortcut and turn it into emoji, no no you have to use emoji keyboard to type them

permalink
report
parent
reply
1 point
Deleted by creator
permalink
report
parent
reply
4 points

OTOH, there is only one character set that matters, and any system using a different one is, by that fact alone, broken.

permalink
report
parent
reply
0 points
4 points

I said only one that matters. So I already did pick one. It’s called Unicode.

permalink
report
parent
reply
-6 points

That only applies to iphones that came out 2016 or earlier and we’re never updated right?

permalink
report
parent
reply
25 points

Hahaha, I wish.

You would be amazed at how ancient and poorly maintained many web servers are on the modern internet. SQL injection still consistently make the top 3 web app vulnerabilities as of 2021. If that isn’t being sanitized properly I don’t expect emojis would be handled much better.

permalink
report
parent
reply
4 points

Thanks I wasn’t aware of that

permalink
report
parent
reply
7 points
*

For that particular bug, yes, but there have been many other variations on that theme and not limited to Apple tech. I’ve seen it nuke an email send for example because the SMTP server choked on emojis placed in a subject, to, or from line.

permalink
report
parent
reply
3 points

Thanks I appreciate the clarification

permalink
report
parent
reply

Technology

!technology@lemmy.world

Create post

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


Community stats

  • 17K

    Monthly active users

  • 12K

    Posts

  • 554K

    Comments