back to article British banks consider emoji as password replacement

British outfit Intelligent Environments says it in discussions with online banks to sell what it says is the first authentication scheme to replace passwords with emojis. The company claims emojis have 480 times more permutations than four digit passcode equivalents, a statistic we've struggled to verify independently. …

  1. Paul 87

    The maths isn't too hard to verify, your combinations of pin numbers should be 10 x 9 x 9 x 9 (since you can start with 10 digits but then cannot pick the same number as the one before it) giving 7290

    For more characters then, you do increase your number of permutations to be 44 x 43 x 43 x 43 = 3498308

    So they claim that their method increases the numberofpermutations by a factor of 480 (not 480 more as that implies 7770 permutations)

    1. RamblingRant
      Thumb Down

      Actually, the maths doesn't stack up.

      They go on about replacing passwords but their comparison is against PINs. That's not exactly an apples to apples comparison...

      A 4 digit PIN (numbers 0-9) is 10,000 permutations, 7,290 non-sequential permutations.

      A 4 emoji "password" (44 possible emoji) is 3,498,308 non-sequential permutations.

      A 4 character password (*just* upper & lowercase) is 7,311,616 permutations.

      If you throw numbers into the mix too, there's 14,776,336 permutations.

      So, even compared to the weakest of passwords, there are still 3.8 million reduction in the keyspace.

      The notion that banks will replace the ATM PIN with this is just nonsense... most still use Windows XP for heavens sake.

  2. Tromos

    "An Intelligent-Environment-commissioned survey found British teenagers regularly converse over SMS using nothing more than emojis"

    Yes. They're known as illiterates.

    1. Neil Barnes Silver badge
      Headmaster

      All hail the illiterati!

      So teeneagers have as *many* as forty-four discrete communications symbols? Who'd have thought it?

      1. Anonymous Coward
        Anonymous Coward

        Re: All hail the illiterati!

        Anybody remember the experiments done with apes, giving them speech boxes with icons printed on the keyboards?

    2. Captain Scarlet
      Childcatcher

      So basically they are communicating like Beavis and Butthead, just from further away.

      1. Steven Raith

        Shut up, dilweed!

        Steven "uuh huhuhuh" R

  3. Robert Helpmann??
    Facepalm

    Great Idea!

    Obviously, the response to people not being able to remember their passwords because they have so many of them is to provide a completely different set of input values to choose from. Additionally, because a small subset of the population uses this set of characters on a regular basis, it will have broad enough appeal to make implementation worthwhile. It's bad enough that the Unicode Consortium thinks it's a good idea to add emoji to the character set... Now there's an idea: why not just add the entire Unicode character set to the available choices for passwords? That would provide 110,000n possible combinations to choose from using an n-digit password. Patent pending on input device.

    8€

    1. deive

      Re: Great Idea!

      Exactly, I can't imagine banks encode in ASCII - so they probably use UTF-8 and can already accept emoji as passwords, how is this new??

      1. Buzzword

        Re: Great Idea!

        I can't imagine banks encode in ASCII either - they're still using EBCDIC.

        1. John Gamble
          Meh

          Re: Great Idea!

          "... they're still using EBCDIC.

          Yup, and the front-end developers then limit the legal password characters to letters and numbers -- no symbols. I'm still boggled by the assumptions behind that limitation (the big one being the assumption that the password is stored unencrypted -- one hopes that's no longer true in the 21st century).

      2. fearnothing

        Re: Great Idea!

        On the other hand I know a bank that forbids any character stranger than a "-" in a password, will not let you use a password longer than 16 characters, but requires you to use a lowercase and uppercase letter and a number.

        Don't ever expect banks to do the sensible thing.

        1. Barry Rueger

          Re: Great Idea!

          Been asking my bank fot three years, and it's still alpha letters, not case sensitive, numbers, and no, repeat NO special characters.

          Their argument, with an apparently straight face, is that anything better would confuse customers.

    2. petur

      Re: Great Idea!

      As a bonus, good luck writing it down on a post-it :D

      1. Paul Kinsler

        Re: good luck writing it down on a post-it :D

        But on the plus side, the chances of anyone /else/ being able to decipher the password written on the post-it are very greatly reduced.

        1. Jedit Silver badge
          WTF?

          "the chances of anyone /else/ being able to decipher the password are greatly reduced"

          I must be missing something here. Nobody I know writes down emojis, so surely anyone seeing four of them on a Post-It would immediately know it was a password?

    3. Rich 11 Silver badge

      Re: Great Idea!

      Patent pending on input device.

      Just hold own the Alt key while entering + and the hex code...

    4. Jimmy2Cows Silver badge
      Thumb Up

      @ Robert Helpmann?? Re: Great Idea!

      Well done sir, I was thinking the exact same thing.

      Have an internet.

  4. Anonymous Coward
    Anonymous Coward

    "What's clear is that the younger generation is communicating in new ways,”

    Well, such has always been so. And then the younger generation eventually grows up and realises that a common form of communicating is necessary for a society to exist, and gets with the (old) beat

    Why screw with what works just to please fans of a passing fad?

    1. Rich 11 Silver badge

      Re: "What's clear is that the younger generation is communicating in new ways,”

      Because some knob-end thinks they can make money out of selling the idea to idiots.

    2. Anonymous Coward
      Anonymous Coward

      True enough.....

      "What's clear is that the younger generation is communicating in new ways”.

      Yup. Back in my day, it was 2 ski yoghurt cartons and a piece of string. And you had enough change for the bus ride home.

  5. This post has been deleted by its author

    1. Doctor_Wibble

      Wot no urinating dog?

      1. Alister

        What I did on my Holidays

        ...and on the 14th day, the Great Wizzard went to the place of the bank, and did insert a piece of card into a hole in the wall, and say a magic incantation, and received in return pieces of paper he called money [urinating dog) (urinating dog]

      2. ravenviz Silver badge

        The post contains some characters we can’t support

    2. VinceH

      I can't wait to apply for a new credit card, open the letter with the PIN advice inside, and have it tell me that my new pin is"

      Correct horse battery staple!

      All of a sudden, xkcd 936 becomes relevant in a whole new way!

    3. FrogsAndChips Silver badge

      If I can choose mine, it will be Rock, Scissors, Lizard, Spock.

      I'll keep the Paper to write the PIN on...

  6. Medixstiff

    So I wonder how many will choose something like this:

    ....................../´¯/)

    ....................,/¯../

    .................../..../

    ............./´¯/'...'/´¯¯`·¸

    ........../'/.../..../......./¨¯\

    ........('(...´...´.... ¯~/'...')

    .........\.................'...../

    ..........''...\.......... _.·´

    ............\..............(

    ..............\.............\...

  7. Anonymous Coward
    Anonymous Coward

    Yep, brilliant idea

    give the older generation (of which i rapidily approach) another pointless password / security "thing".

    Because the "youngsters" do it does not mean its a infallible system. The biggest issue i see without even thinking about it is that there are a hunder bleeding variants of a sad "emoji" (when the fuck did that spew into the English language). Or a dozen variants of a "Happy" one.

    Doomed to fail if you are over 50 with early onset rainbows.

    I'm as confused as a mood ring on a bi-polar schizophrenic chameleon in a bag of skittles.

  8. Doctor_Wibble
    Paris Hilton

    Square Underscore Square

    Or was that the sound of a joke whooshing over my head?

    1. Old Handle

      Re: Square Underscore Square

      Evidently you don't have the right font.

      It should look like this.

      1. Doctor_Wibble

        Re: Square Underscore Square

        > Evidently you don't have the right font.

        Yes, I had a feeling those weren't supposed to be square eyes! Not sure if it's necessarily better than a 'directly typeable' wide-smiley like (@_@) though.

        So now all I have to do is figure out which of my fonts has these things included:

        1) the one that looks like it was done by a typewriter

        2) the one that looks like it came from a book

        3) the one that looks like the lettering on platform signs at railway stations

        or

        4) none of them because everything else is wingdings or dingbats or *ptui* comic sans. A cause of extreme disorientation given this here is a bare-bones X11.

  9. Ye Gads

    I'm still trying to wrap my head around

    "Our research shows 64 percent of millennials regularly communicate only using emojis."

    Really?

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm still trying to wrap my head around

      So, how did they do the research?

    2. Tomato42
      Trollface

      Re: I'm still trying to wrap my head around

      Chimps communicate using grunts.

      Doesn't make the communication any meaningful outside their social circle, but it's useful enough to attract a mate and get rid of competition.

    3. Anonymous Coward
      Anonymous Coward

      Re: I'm still trying to wrap my head around

      Incidentally that's the percentage of illiterate youngsters.

    4. AndyS

      Re: I'm still trying to wrap my head around

      "Our research shows 64 percent of millennials regularly communicate only using emojis."

      Really?

      Well... I know I've been guilty, in my distant past, of sending simply a smile as a text. Something like this:

      Alice: You still ok to meet at 8?

      Bob: :)

      It's not like complex sentences and refined thoughts are _always_ required to count as communication. A simple yes/no can be represented in a thousand ways, and many quick texts consist of nothing more.

      1. Christoph

        Re: I'm still trying to wrap my head around

        I did once reply to a post wondering why a particular website was crashing, with the two symbols forward slash and full stop.

      2. Michael Wojcik Silver badge

        Re: I'm still trying to wrap my head around

        It's not like complex sentences and refined thoughts are _always_ required to count as communication. A simple yes/no can be represented in a thousand ways, and many quick texts consist of nothing more.

        Very true. Apparently many of the posters here don't understand how written communication works. But it's traditional for Reg commentators to complain about things they don't understand.

        On the other hand, I always use complete sentences and preferred usage and punctuation in my text messages. It's worth dozens of curmudgeon points and bolsters my (already robust) feeling of smug superiority. It's the main reason why I only buy phones with physical QWERTY keyboards.

    5. Christoph

      Re: I'm still trying to wrap my head around

      This must be some new meaning of 'communicate' which I'm not familiar with.

      1. Michael Wojcik Silver badge

        Re: I'm still trying to wrap my head around

        This must be some new meaning of 'communicate' which I'm not familiar with.

        You have plenty of company. Most folks here are broadly ignorant of the meanings of "communicate".

  10. Anonymous Coward
    Anonymous Coward

    "Our research shows 64 percent of millennials regularly communicate only using emojis"

    And dogs communicate by sniffing each other's backsides. Maybe that would make a good authentication method.

  11. Ben Bonsall

    What the hell is an emoji?

  12. Tomato42
    Windows

    New most common password

    And the most common password isn't 1234 any more, its

    :) :) :( ;)

    1. NumptyScrub

      Re: New most common password

      Since we're talking about banking, I'd have said

      :) :| :( >:(

      1. Anonymous Coward
        Anonymous Coward

        Re: New most common password

        8====D

        ...surely

  13. This post has been deleted by its author

    1. This post has been deleted by its author

      1. Michael Wojcik Silver badge

        The division sign is an emoji?

        Well, I suppose there are times I feel divided. Very well, carry on.

  14. Anonymous Coward
    Anonymous Coward

    Somebody please stop the planet...

    I want to get off.

    1. MrXavia
      Facepalm

      Re: Somebody please stop the planet...

      I'm saving up for a move to Mars, it may be a dead, cold, dessert of a planet, but surely they must have more intelligent life than here....

      Emoji's as passwords?

      Why not just allow 8 digit pins?

      Or has the general public became so dumb they can't remember 8 digits in sequence any more?

      1. VinceH

        Re: Somebody please stop the planet...

        "Why not just allow 8 digit pins?

        Or has the general public became so dumb they can't remember 8 digits in sequence any more?"

        I don't think the general public is too dumb to remember eight digits - but I do think some members of the general public are probably too dumb to be sensible about those eight digits in the first place, and you'll probably get people using the last 8 digits of their phone number backwards*, and stuff like that.

        * This is already common in four digit pins for house alarms, based several I know. (Which, arguably, I shouldn't know, but that's a whole other problem!

      2. Rich 11 Silver badge

        Re: Somebody please stop the planet...

        Or has the general public became so dumb they can't remember 8 digits in sequence any more?

        Everyone can manage 8 digits, as long as it's their birthdate: yyyymmdd. Can't see a problem in that.

      3. Kubla Cant
        Headmaster

        Re: Somebody please stop the planet...

        @MrXavia a dead, cold, dessert of a planet

        Made of blancmange?

        1. Anonymous Coward
          Anonymous Coward

          Re: Somebody please stop the planet...

          Is mange available in a range of colours???

          Like rougemange, or the more difficult to detect noirmange?

          1. Kubla Cant

            Re: Somebody please stop the planet...

            My recollection is that blancmange only came in two colours, white and pink, or, if you prefer rosemange.

      4. This post has been deleted by its author

  15. VinceH

    Optional

    Meanwhile, what's actually happening with at least one bank...

    Up until a few years ago, I logged into my personal accounts with an ID and a password. Then they decided to add 2FA using a dedicated security device - which is sensible enough, obviously.

    However, when they did that, they decided to drop the use of a password on the website (you need a pin for the 2FA device) and add a security question, where you get to choose one of a number of questions (mother's maiden name, first school, etc) and put in your answer.

    Fast forward to now.

    "Online Banking is evolving" they say. "The next time you log on to Online Banking you'll be asked to create a new password"

    To be fair, this doesn't do away with the security key - this password is so you can "access essential Online Banking services" without the 2FA device. I still find it quite amusing, though, that having done away with passwords a couple of years ago, they're now introducing passwords.

    They're also introducing a new version of the 2FA device - which, apparently, is a new 'digital' one.

    What do they mean by digital? They mean it's not a separate physical device - it's a smartphone app.

    So when they say you can "access essential Online Banking services" without the 2FA device, for those who opt for the app* they mean "when your battery has run out."

    * Customers have the choice of continuing with the separate device or using the app - so it's not compulsory. Yet.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Optional

      Can't remember who, but one site had as one of its trick - sorry security questions "Mother's place of Birth".

      On selecting that and entering my response it came back with "Sorry, that's too easy to guess. Please select another question." WTF?!!

      1. FrogsAndChips Silver badge

        Re: Optional

        "Mother's place of Birth".. "Sorry, that's too easy to guess"

        BT,DT with my mother's maiden name. Only 3 letters...

        1. Captain DaFt

          Re: Optional

          My Waterloo was: "Your favorite color"

          Red... invalid, must be seven or more letters

          hm,

          Purple... invalid, must be seven or more letters

          Uh,

          Yellow... invalid, must be seven or more letters

          FUCKYOUDIESOB... invalid, not a color

          Apparently, the site only caters to women and interior decorators.

          1. Anonymous Coward
            Anonymous Coward

            Re: Optional

            What... is your name?

            What... is your quest?

            What... is your favourite colour? "Blue. No! YELLOOOOOOOOOO....."

    3. h4rm0ny
      Unhappy

      Re: Optional

      I know exactly which bank you're talking about. Would you mind if I named and shamed? They're moving away from MTA at a time when they absolutely shouldn't.

      Actually, I respect not wanting to disclose personal banking information, but it's pretty vague and useless so I'm just going to go ahead and say that this is HSBC we're talking about. Their security has just taken a notable step backwards with this. Phone app and passeprd might be more convenient if you don't have the key fob on you, but it is NOT as secure.

      1. VinceH

        Re: Optional

        "Actually, I respect not wanting to disclose personal banking information, but it's pretty vague and useless"

        I don't mind disclosing the bank. Not naming them was probably just instinctive - I wouldn't name a client's bank (at least not when specifically mentioning the client), so I expect that's rubbing off on me personally, IYSWIM. (Plus, if HSBC are doing it, I suspect others will follow)

        "so I'm just going to go ahead and say that this is HSBC we're talking about. Their security has just taken a notable step backwards with this. Phone app and passeprd might be more convenient if you don't have the key fob on you, but it is NOT as secure."

        Quite so.

        What annoys me, though, is that they did away with the use of a password in the first place, adding in the silly security question in its place.

        I tend to suggest to people that if a system doesn't offer a password as an option, and a question like that instead, treat that as a password prompt. I then have to stress the need to make sure it's unique because - not being a password from the site's point of view - I wouldn't like to bet on it being salted and hashed.

        Speaking of which... I'm by no means a security expert, but I know more than most people I know, but one thing which has been bugging me of late:

        'Please enter the 3rd, 5th and 8th letters of your password [ _ ] [ _ ] [ _ ]'

        I see this on some banking websites. Surely, if you can enter a selection of characters and have them validated against your password, that means the password can't be salted and hashed?

        1. h4rm0ny

          Re: Optional

          >>Speaking of which... I'm by no means a security expert, but I know more than most people I know, but one thing which has been bugging me of late:

          'Please enter the 3rd, 5th and 8th letters of your password [ _ ] [ _ ] [ _ ]'

          I see this on some banking websites. Surely, if you can enter a selection of characters and have them validated against your password, that means the password can't be salted and hashed?

          It implies symmetrical encryption. So the password in the database will be encrypted (I would hope!) but much like you keep a salt for your hashes, you keep a key for encryption/decryption. In either case, an attacker would need not only the records themselves but also the accompanying salt or key, respectively. However, this can happen and with a hash, they're essentially guessing at passwords and seeing if they match the hash, whereas with encryption they can actually reverse it, so yes - all else being equal the encryption method is less secure. (Caveat for completeness, using something like BCrypt takes longer than using say MD5 for hashes which slows down the speed at which one can match possible passwords against the hash / encrypted form).

          Either that, or HSBC has decided to hash each letter of your password individually for extra security. ;) :D

          1. VinceH

            Re: Optional

            Ta. That's more or less what I'd guessed would probably be the case. :/

            On the whole, I think I'd much rather they asked me for the full password, so they can compare the hashes - but I run a very clean computer (food in the keyboard aside), and I have to accept that this may not be the case for Joe Public, meaning a risk of key-logging malware. I suppose as long as they use 2FA, though, the flaws with both methods are mitigated.

            "Either that, or HSBC has decided to hash each letter of your password individually for extra security. ;) :D"

            Heh.

            Actually, thinking about those systems that limit your password to n characters, perhaps that's why... ;)

            Joking aside, I'm not talking about HSBC at that point. I haven't yet logged in and created a new password - so I don't know yet if they require the whole password when logging in after, or specific characters from it.

            OTTOMH, a couple that do are Natwest (for Bankline) and Barclaycard. Bankline also uses a pin (for which three digits are required to log in - same as the password), and they do use 2FA via a dedicated security device, but not for the initial log in.

          2. Anonymous Coward
            Anonymous Coward

            Re: Optional

            "So the password in the database will be encrypted (I would hope!) but much like you keep a salt for your hashes, you keep a key for encryption/decryption. In either case, an attacker would need not only the records themselves but also the accompanying salt or key, respectively."

            That's different though. The salt is always stored alongside the hash. Its purpose is not to hide the data, but to mean that you can't match it against precomputed hash tables.

            "Either that, or HSBC has decided to hash each letter of your password individually for extra security."

            I wouldn't put it past them :-)

        2. alexdonald

          Re: Optional

          Don't change to the app version.

          I did. Then my phone broke.

          Easy, I thought, I'll just order a new key fob... But low and behold, you need the old authenticator to activate the new one. Which was on my phone. Which was broken.

          It took ages on the phone, and another letter before I'd got the new fob working again. Grr.

          (It's probably sensible that it's not easy to replace the authenticator, but it was posted to my house, which is deemed acceptable for my bank card and its associated pin)

  16. JimmyPage
    Stop

    Yawn ...

    Seems a retread of the idea (20 years ago) to use photos instead of numbers with the customer knowing which 4 they had logged as their password.

  17. Aristotles slow and dimwitted horse

    How does it work over the phone...

    When I phone my bank, as part of the validation process they ask me to correctly state certain key characters of my password...

    Bank : What is letter two of your password?

    Me : Err.. it's kind of a sad Japanese looking girl with rosy cheeks and a tear in her eye.

    Bank : And letter number seven?

    Me : It's a happy looking dog.

    Bank : No that's incorrect.

    Me : A miserable cat?

    Bank : No.

    Me : A happy horse?

    How novel.

  18. chrullrich

    What a truly novel idea!

    Ah. So the old ways of using a secret combination of several visually distinct symbols from a set of 10 for authentication are, well, old, and the bright new future is using a secret combination of several visually (not so) distinct symbols from a set of 44?

    Whoever came up with that unique and creative idea is certainly a genius and deserves a large bonus.

  19. Haku
  20. Andrew Jones 2

    The problem I see with this is we all whether we are concious of it or not - choose something that forms a pattern. The chances are that the emoji picked will form a story in users brain. It would be interesting for a study to be done with a large number of people - where the emoji picked are recorded - and then find out how many of the full library of available emoji are actually picked as the starting emoji, you could then find out how many real possible combinations there are after the starting emoji.

  21. 27escape
    Facepalm

    how about using letters and numbers

    I know its a bit radical but that could also work

    much like a password

    yes yes people will use the name of their dog/cat/pet thing and they will be easy to guess but I guess some combinations will be more popular than others anyway

  22. Dan Paul

    Too many crackheads with bright ideas

    No, just no absolutely no. Don't waste your (and our) time with this nonsense, PLEASE.

    Life is full of useless crap already without adding even more useless crap like emoji's to authentication.

  23. Boothy

    Quote: "should users pick emojis in sequential order"

    So randomise the layout of the input screen each time!

    That also stops people from using placement patterns, which are common on keyboards. (e.g. people doing 1793 on a key pad (i.e. the corner keys).

    Password cracking tools these days, not only do dictionary lookups and substitution etc. they look for key position input patterns (qwerty etc).

  24. Anonymous Coward
    Anonymous Coward

    "And dogs communicate by sniffing each other's backsides. Maybe that would make a good authentication method."

    Hmmm, so you've just dropped your kecks and are about to point your buttocks at the ATM's "Sniff-O-Matic(TM)" sensor, when someone comes up and either parks their bike or <http://ars.userfriendly.org/cartoons/?id=20150602>

  25. CaptainBanjax

    Oh man

    Imagine the conversation setting up a bank account.

    Banker: Ok please set a pin.

    Punter ok. Smileyface Smileyface Cumface Clownface

    Banker: Excellent. When you use your card for the first time you will be asked to change your PIN.

    Hah!

  26. Frogmelon

    As Ren and Stimpy once declared, "Happy Happy Joy Joy!" :)

  27. John Brown (no body) Silver badge
    Meh

    Ok, so what's the difference....

    ...between smilies, emoticons and emojis?

    1. Rusty 1
      Flame

      Re: Ok, so what's the difference....

      Smilies - pretty straightforward and nicely understood plain ASCII composite glyphs.

      Emoticons - message board graphical representations of smilies. Quite neat in their day.

      Emojis - a cancer, a virulent cancer. Should be about as popular as an STI in a whore house. Nuke from orbit, yes that's probably about right.

  28. paulf
    Trollface

    Patent?

    "...the concept is likely not able to be patented but is probably the first of its kind."

    It's ok, we've just found the USPTO and they've granted us a patent with no questions asked as long as we paid the fee immediately (cash only).

  29. Anonymous Coward
    Anonymous Coward

    The new 1234 will be

    Four poop emojis...

    While there may be 480x emojis as digits, and maybe someday 4800x as many, most people will use a much smaller subset. On my iPhone, the recently used emojis are maintained to make them easier to type - that's where the ones you use for PINs would be, so an attacker would go from 10^4 to maybe 30^4 permutations at most.

  30. Arachnoid
    Happy

    Hmm young and emoticons

    Erm,,,,,,,,,weed leaf,weed leaf,weed leaf,spliff ........cool man no one will guess that

  31. Jin

    Re-invented?

    It appears that what have been around commercially for 15 years is now getting re-invented.

    Such a story-involving picture password has, for instance, long been a component of Expanded Password System shown at

    http://www.slideshare.net/HitoshiKokumai/death-to-password-no-it-is-given-a-new-life

  32. Alan Denman

    Utter rubbish

    There are far less combinations than upper lower case + symbols and numbers.

    And we know that people will likely gravitate to certain, even more limited emoji combinations.

  33. itzman
    Paris Hilton

    The modern age ....

    Seems to be one where the technology gets smarter and smarter so that people can get stupider and stupider.

    Who remembers hand calculation with tables of logarithms?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like