Using an emoji password? Better not.

With emojis rapidly evolving into one the world’s most recognizable languages, cybersecurity experts claim they are inevitably entering our passwords too. While this idea may sound innovative, professionals say it has already proved to have major digital security downsides, bringing with it the risks of losing access to critical accounts or falling victim to improved brute force attacks.

“Many people are surprised when they realize that you can use emojis for passwords and that there are folks out there actually doing so. Creating a memorable emoji combination is surely more fun than scratching your head for yet another password made from regular characters, but it’s worth bearing in mind the risks and inconveniences this novelty brings,” says Tomas Smalakys, the chief technology officer (CTO) of NordPass.

How do people use emojis in passwords?

There are a few common ways to use emojis in passwords, Smalakys says. The first is integrating emojis among other symbols, be it letters, numbers, or special characters. The second is creating a password consisting purely of emojis. In 2015, the first emoji-only pin code was offered by Intelligent Environments, a UK firm, to provide easier and more youth-friendly access to banking accounts.

On smartphones, tablets, laptops, and other devices, an emoji password is created in a very similar manner. If an emoji library or keyboard is installed on a device, an internet user can simply select an emoji to be added to a string of password characters. In a different scenario, a person can “copy paste” the emoji from Emojipedia, an online emoji dictionary, or another popular site.

Out of over 3,600 Unicode Standard emojis available to date, internet users can create easily-memorable visual combinations, for instance, illustrating their morning routine with emojis picked accordingly for bed, shower, breakfast, and work. Artificial intelligence tools, such as ChatGPT, can also help in coming up with memorable emoji strings.

Emoji password setting is the easy part, according to Smalakys. “Way more confusing is what comes afterwards,” he adds.

Why should you avoid emoji passwords?

1. You risk getting locked out of your accounts. A successful setup of an emoji password does not guarantee a user will be able to sign back in to a website. This situation happens because various websites handle Unicode differently and their login interfaces do not necessarily include an emoji keyboard.

1. Cross-platform experience is still poor. Despite Unicode, certain emojis or other characters are not necessarily read the same way across operating systems. What works on Android could look different on iOS.
   
   

2. Changing one bad habit to another bad habit. People are naturally tempted to go for convenience. When creating regular passwords, they often choose the easiest keyboard combinations, such as “qwerty.” With emoji passwords, internet users tend to select their favorite emojis which are conveniently stored at the front of the keyboard library. According to the latest data by Emojipedia, the most common emoji to date is “Face with Tears of Joy,” and this trend signals that emoji passwords do not overcome the problem of password fatigue.
   
   

3. Brute-forcing emoji passwords is only a step away. While current brute-forcing attacks are mostly based on dictionary words, it is only a matter of time before they include emoji combinations too — both mixed with regular symbols and purely emoji-based. Therefore, these passwords are not a long-term solution for online authentication, says Smalakys.

The life behind emoji passwords

“Emoji passwords are too predictable, similarly to passwords, and now we have way more advanced methods of online authentication. Many progressive websites are allowing their customers to join websites using passkeys, considered the most promising alternative to any passwords. It reduces the human factor in account security because with this technology, a person no longer needs to create or remember their credentials,” says Smalakys.

A passkey is a pair of two cryptographic keys — public and private. The private is stored on the user's device and the public — on a website’s server. Without each other, these keys do not work, and therefore, are useless to hackers. Moreover, the passkey on your gadget (the private key) cannot be accessed without biometric identification (of the device's owner) or a PIN, which adds extra protection.

A passkey is a very long combination of various numbers, letters, and symbols. Compared to a password, a passkey is never created by the user and is always generated automatically.

ABOUT NORDPASS

NordPass is a password manager for both business and consumer clients. It’s powered by the latest technology for the utmost security. Developed with affordability, simplicity, and ease of use in mind, NordPass allows users to access passwords securely on desktop, mobile, and browsers. All passwords are encrypted on the device, so only the user can access them. NordPass was created by the experts behind NordVPN — the advanced security and privacy app. For more information: nordpass.com.