# British banks consider emoji as password replacement

British outfit Intelligent Environments says it in discussions with online banks to sell what it says is the first authentication scheme to replace passwords with emojis. The company claims emojis have 480 times more permutations than four digit passcode equivalents, a statistic we've struggled to verify independently. …

1. The maths isn't too hard to verify, your combinations of pin numbers should be 10 x 9 x 9 x 9 (since you can start with 10 digits but then cannot pick the same number as the one before it) giving 7290

For more characters then, you do increase your number of permutations to be 44 x 43 x 43 x 43 = 3498308

So they claim that their method increases the numberofpermutations by a factor of 480 (not 480 more as that implies 7770 permutations)

1. Actually, the maths doesn't stack up.

They go on about replacing passwords but their comparison is against PINs. That's not exactly an apples to apples comparison...

A 4 digit PIN (numbers 0-9) is 10,000 permutations, 7,290 non-sequential permutations.

A 4 emoji "password" (44 possible emoji) is 3,498,308 non-sequential permutations.

A 4 character password (*just* upper & lowercase) is 7,311,616 permutations.

If you throw numbers into the mix too, there's 14,776,336 permutations.

So, even compared to the weakest of passwords, there are still 3.8 million reduction in the keyspace.

The notion that banks will replace the ATM PIN with this is just nonsense... most still use Windows XP for heavens sake.

2. "An Intelligent-Environment-commissioned survey found British teenagers regularly converse over SMS using nothing more than emojis"

Yes. They're known as illiterates.

1. #### All hail the illiterati!

So teeneagers have as *many* as forty-four discrete communications symbols? Who'd have thought it?

1. #### Re: All hail the illiterati!

Anybody remember the experiments done with apes, giving them speech boxes with icons printed on the keyboards?

2. So basically they are communicating like Beavis and Butthead, just from further away.

1. Shut up, dilweed!

Steven "uuh huhuhuh" R

3. #### Great Idea!

Obviously, the response to people not being able to remember their passwords because they have so many of them is to provide a completely different set of input values to choose from. Additionally, because a small subset of the population uses this set of characters on a regular basis, it will have broad enough appeal to make implementation worthwhile. It's bad enough that the Unicode Consortium thinks it's a good idea to add emoji to the character set... Now there's an idea: why not just add the entire Unicode character set to the available choices for passwords? That would provide 110,000n possible combinations to choose from using an n-digit password. Patent pending on input device.

8€

1. #### Re: Great Idea!

Exactly, I can't imagine banks encode in ASCII - so they probably use UTF-8 and can already accept emoji as passwords, how is this new??

1. #### Re: Great Idea!

I can't imagine banks encode in ASCII either - they're still using EBCDIC.

1. #### Re: Great Idea!

"... they're still using EBCDIC.

Yup, and the front-end developers then limit the legal password characters to letters and numbers -- no symbols. I'm still boggled by the assumptions behind that limitation (the big one being the assumption that the password is stored unencrypted -- one hopes that's no longer true in the 21st century).

2. #### Re: Great Idea!

On the other hand I know a bank that forbids any character stranger than a "-" in a password, will not let you use a password longer than 16 characters, but requires you to use a lowercase and uppercase letter and a number.

Don't ever expect banks to do the sensible thing.

1. #### Re: Great Idea!

Been asking my bank fot three years, and it's still alpha letters, not case sensitive, numbers, and no, repeat NO special characters.

Their argument, with an apparently straight face, is that anything better would confuse customers.

2. #### Re: Great Idea!

As a bonus, good luck writing it down on a post-it :D

1. #### Re: good luck writing it down on a post-it :D

But on the plus side, the chances of anyone /else/ being able to decipher the password written on the post-it are very greatly reduced.

1. #### "the chances of anyone /else/ being able to decipher the password are greatly reduced"

I must be missing something here. Nobody I know writes down emojis, so surely anyone seeing four of them on a Post-It would immediately know it was a password?

3. #### Re: Great Idea!

Patent pending on input device.

Just hold own the Alt key while entering + and the hex code...

4. #### @ Robert Helpmann?? Re: Great Idea!

Well done sir, I was thinking the exact same thing.

Have an internet.

4. #### "What's clear is that the younger generation is communicating in new ways,”

Well, such has always been so. And then the younger generation eventually grows up and realises that a common form of communicating is necessary for a society to exist, and gets with the (old) beat

Why screw with what works just to please fans of a passing fad?

1. #### Re: "What's clear is that the younger generation is communicating in new ways,”

Because some knob-end thinks they can make money out of selling the idea to idiots.

2. #### True enough.....

"What's clear is that the younger generation is communicating in new ways”.

Yup. Back in my day, it was 2 ski yoghurt cartons and a piece of string. And you had enough change for the bus ride home.

5. This post has been deleted by its author

1. Wot no urinating dog?

1. #### What I did on my Holidays

...and on the 14th day, the Great Wizzard went to the place of the bank, and did insert a piece of card into a hole in the wall, and say a magic incantation, and received in return pieces of paper he called money [urinating dog) (urinating dog]

2. The post contains some characters we can’t support

2. I can't wait to apply for a new credit card, open the letter with the PIN advice inside, and have it tell me that my new pin is"

Correct horse battery staple!

All of a sudden, xkcd 936 becomes relevant in a whole new way!

3. If I can choose mine, it will be Rock, Scissors, Lizard, Spock.

I'll keep the Paper to write the PIN on...

6. So I wonder how many will choose something like this:

....................../´¯/)

....................,/¯../

.................../..../

............./´¯/'...'/´¯¯`·¸

........../'/.../..../......./¨¯\

........('(...´...´.... ¯~/'...')

.........\.................'...../

..........''...\.......... _.·´

............\..............(

..............\.............\...

7. #### Yep, brilliant idea

give the older generation (of which i rapidily approach) another pointless password / security "thing".

Because the "youngsters" do it does not mean its a infallible system. The biggest issue i see without even thinking about it is that there are a hunder bleeding variants of a sad "emoji" (when the fuck did that spew into the English language). Or a dozen variants of a "Happy" one.

Doomed to fail if you are over 50 with early onset rainbows.

I'm as confused as a mood ring on a bi-polar schizophrenic chameleon in a bag of skittles.

8. #### Square Underscore Square

Or was that the sound of a joke whooshing over my head?

1. #### Re: Square Underscore Square

Evidently you don't have the right font.

It should look like this.

1. #### Re: Square Underscore Square

> Evidently you don't have the right font.

Yes, I had a feeling those weren't supposed to be square eyes! Not sure if it's necessarily better than a 'directly typeable' wide-smiley like (@_@) though.

So now all I have to do is figure out which of my fonts has these things included:

1) the one that looks like it was done by a typewriter

2) the one that looks like it came from a book

3) the one that looks like the lettering on platform signs at railway stations

or

4) none of them because everything else is wingdings or dingbats or *ptui* comic sans. A cause of extreme disorientation given this here is a bare-bones X11.

9. #### I'm still trying to wrap my head around

"Our research shows 64 percent of millennials regularly communicate only using emojis."

Really?

1. #### Re: I'm still trying to wrap my head around

So, how did they do the research?

2. #### Re: I'm still trying to wrap my head around

Chimps communicate using grunts.

Doesn't make the communication any meaningful outside their social circle, but it's useful enough to attract a mate and get rid of competition.

3. #### Re: I'm still trying to wrap my head around

Incidentally that's the percentage of illiterate youngsters.

4. #### Re: I'm still trying to wrap my head around

"Our research shows 64 percent of millennials regularly communicate only using emojis."

Really?

Well... I know I've been guilty, in my distant past, of sending simply a smile as a text. Something like this:

Alice: You still ok to meet at 8?

Bob: :)

It's not like complex sentences and refined thoughts are _always_ required to count as communication. A simple yes/no can be represented in a thousand ways, and many quick texts consist of nothing more.

1. #### Re: I'm still trying to wrap my head around

I did once reply to a post wondering why a particular website was crashing, with the two symbols forward slash and full stop.

2. #### Re: I'm still trying to wrap my head around

It's not like complex sentences and refined thoughts are _always_ required to count as communication. A simple yes/no can be represented in a thousand ways, and many quick texts consist of nothing more.

Very true. Apparently many of the posters here don't understand how written communication works. But it's traditional for Reg commentators to complain about things they don't understand.

On the other hand, I always use complete sentences and preferred usage and punctuation in my text messages. It's worth dozens of curmudgeon points and bolsters my (already robust) feeling of smug superiority. It's the main reason why I only buy phones with physical QWERTY keyboards.

5. #### Re: I'm still trying to wrap my head around

This must be some new meaning of 'communicate' which I'm not familiar with.

1. #### Re: I'm still trying to wrap my head around

This must be some new meaning of 'communicate' which I'm not familiar with.

You have plenty of company. Most folks here are broadly ignorant of the meanings of "communicate".

10. #### "Our research shows 64 percent of millennials regularly communicate only using emojis"

And dogs communicate by sniffing each other's backsides. Maybe that would make a good authentication method.

11. What the hell is an emoji?

12. #### New most common password

And the most common password isn't 1234 any more, its

:) :) :( ;)

1. #### Re: New most common password

Since we're talking about banking, I'd have said

:) :| :( >:(

1. #### Re: New most common password

8====D

...surely

13. This post has been deleted by its author

1. This post has been deleted by its author

1. The division sign is an emoji?

Well, I suppose there are times I feel divided. Very well, carry on.

14. #### Somebody please stop the planet...

I want to get off.

1. #### Re: Somebody please stop the planet...

I'm saving up for a move to Mars, it may be a dead, cold, dessert of a planet, but surely they must have more intelligent life than here....

Why not just allow 8 digit pins?

Or has the general public became so dumb they can't remember 8 digits in sequence any more?

1. #### Re: Somebody please stop the planet...

"Why not just allow 8 digit pins?

Or has the general public became so dumb they can't remember 8 digits in sequence any more?"

I don't think the general public is too dumb to remember eight digits - but I do think some members of the general public are probably too dumb to be sensible about those eight digits in the first place, and you'll probably get people using the last 8 digits of their phone number backwards*, and stuff like that.

* This is already common in four digit pins for house alarms, based several I know. (Which, arguably, I shouldn't know, but that's a whole other problem!

2. #### Re: Somebody please stop the planet...

Or has the general public became so dumb they can't remember 8 digits in sequence any more?

Everyone can manage 8 digits, as long as it's their birthdate: yyyymmdd. Can't see a problem in that.

3. #### Re: Somebody please stop the planet...

@MrXavia a dead, cold, dessert of a planet

1. #### Re: Somebody please stop the planet...

Is mange available in a range of colours???

Like rougemange, or the more difficult to detect noirmange?

1. #### Re: Somebody please stop the planet...

My recollection is that blancmange only came in two colours, white and pink, or, if you prefer rosemange.

4. This post has been deleted by its author

15. #### Optional

Meanwhile, what's actually happening with at least one bank...

Up until a few years ago, I logged into my personal accounts with an ID and a password. Then they decided to add 2FA using a dedicated security device - which is sensible enough, obviously.

However, when they did that, they decided to drop the use of a password on the website (you need a pin for the 2FA device) and add a security question, where you get to choose one of a number of questions (mother's maiden name, first school, etc) and put in your answer.

Fast forward to now.

"Online Banking is evolving" they say. "The next time you log on to Online Banking you'll be asked to create a new password"

To be fair, this doesn't do away with the security key - this password is so you can "access essential Online Banking services" without the 2FA device. I still find it quite amusing, though, that having done away with passwords a couple of years ago, they're now introducing passwords.

They're also introducing a new version of the 2FA device - which, apparently, is a new 'digital' one.

What do they mean by digital? They mean it's not a separate physical device - it's a smartphone app.

So when they say you can "access essential Online Banking services" without the 2FA device, for those who opt for the app* they mean "when your battery has run out."

* Customers have the choice of continuing with the separate device or using the app - so it's not compulsory. Yet.

1. This post has been deleted by its author

2. #### Re: Optional

Can't remember who, but one site had as one of its trick - sorry security questions "Mother's place of Birth".

On selecting that and entering my response it came back with "Sorry, that's too easy to guess. Please select another question." WTF?!!

1. #### Re: Optional

"Mother's place of Birth".. "Sorry, that's too easy to guess"

BT,DT with my mother's maiden name. Only 3 letters...

1. #### Re: Optional

My Waterloo was: "Your favorite color"

Red... invalid, must be seven or more letters

hm,

Purple... invalid, must be seven or more letters

Uh,

Yellow... invalid, must be seven or more letters

FUCKYOUDIESOB... invalid, not a color

Apparently, the site only caters to women and interior decorators.

1. #### Re: Optional

What... is your favourite colour? "Blue. No! YELLOOOOOOOOOO....."

3. #### Re: Optional

I know exactly which bank you're talking about. Would you mind if I named and shamed? They're moving away from MTA at a time when they absolutely shouldn't.

Actually, I respect not wanting to disclose personal banking information, but it's pretty vague and useless so I'm just going to go ahead and say that this is HSBC we're talking about. Their security has just taken a notable step backwards with this. Phone app and passeprd might be more convenient if you don't have the key fob on you, but it is NOT as secure.

1. #### Re: Optional

"Actually, I respect not wanting to disclose personal banking information, but it's pretty vague and useless"

I don't mind disclosing the bank. Not naming them was probably just instinctive - I wouldn't name a client's bank (at least not when specifically mentioning the client), so I expect that's rubbing off on me personally, IYSWIM. (Plus, if HSBC are doing it, I suspect others will follow)

"so I'm just going to go ahead and say that this is HSBC we're talking about. Their security has just taken a notable step backwards with this. Phone app and passeprd might be more convenient if you don't have the key fob on you, but it is NOT as secure."

Quite so.

What annoys me, though, is that they did away with the use of a password in the first place, adding in the silly security question in its place.

I tend to suggest to people that if a system doesn't offer a password as an option, and a question like that instead, treat that as a password prompt. I then have to stress the need to make sure it's unique because - not being a password from the site's point of view - I wouldn't like to bet on it being salted and hashed.

Speaking of which... I'm by no means a security expert, but I know more than most people I know, but one thing which has been bugging me of late:

'Please enter the 3rd, 5th and 8th letters of your password [ _ ] [ _ ] [ _ ]'

I see this on some banking websites. Surely, if you can enter a selection of characters and have them validated against your password, that means the password can't be salted and hashed?

1. #### Re: Optional

>>Speaking of which... I'm by no means a security expert, but I know more than most people I know, but one thing which has been bugging me of late:

'Please enter the 3rd, 5th and 8th letters of your password [ _ ] [ _ ] [ _ ]'

I see this on some banking websites. Surely, if you can enter a selection of characters and have them validated against your password, that means the password can't be salted and hashed?

It implies symmetrical encryption. So the password in the database will be encrypted (I would hope!) but much like you keep a salt for your hashes, you keep a key for encryption/decryption. In either case, an attacker would need not only the records themselves but also the accompanying salt or key, respectively. However, this can happen and with a hash, they're essentially guessing at passwords and seeing if they match the hash, whereas with encryption they can actually reverse it, so yes - all else being equal the encryption method is less secure. (Caveat for completeness, using something like BCrypt takes longer than using say MD5 for hashes which slows down the speed at which one can match possible passwords against the hash / encrypted form).

Either that, or HSBC has decided to hash each letter of your password individually for extra security. ;) :D

1. #### Re: Optional

Ta. That's more or less what I'd guessed would probably be the case. :/

On the whole, I think I'd much rather they asked me for the full password, so they can compare the hashes - but I run a very clean computer (food in the keyboard aside), and I have to accept that this may not be the case for Joe Public, meaning a risk of key-logging malware. I suppose as long as they use 2FA, though, the flaws with both methods are mitigated.

"Either that, or HSBC has decided to hash each letter of your password individually for extra security. ;) :D"

Heh.

Joking aside, I'm not talking about HSBC at that point. I haven't yet logged in and created a new password - so I don't know yet if they require the whole password when logging in after, or specific characters from it.

OTTOMH, a couple that do are Natwest (for Bankline) and Barclaycard. Bankline also uses a pin (for which three digits are required to log in - same as the password), and they do use 2FA via a dedicated security device, but not for the initial log in.

2. #### Re: Optional

"So the password in the database will be encrypted (I would hope!) but much like you keep a salt for your hashes, you keep a key for encryption/decryption. In either case, an attacker would need not only the records themselves but also the accompanying salt or key, respectively."

That's different though. The salt is always stored alongside the hash. Its purpose is not to hide the data, but to mean that you can't match it against precomputed hash tables.

"Either that, or HSBC has decided to hash each letter of your password individually for extra security."

I wouldn't put it past them :-)

2. #### Re: Optional

Don't change to the app version.

I did. Then my phone broke.

Easy, I thought, I'll just order a new key fob... But low and behold, you need the old authenticator to activate the new one. Which was on my phone. Which was broken.

It took ages on the phone, and another letter before I'd got the new fob working again. Grr.

(It's probably sensible that it's not easy to replace the authenticator, but it was posted to my house, which is deemed acceptable for my bank card and its associated pin)

16. #### Yawn ...

Seems a retread of the idea (20 years ago) to use photos instead of numbers with the customer knowing which 4 they had logged as their password.

17. #### How does it work over the phone...

When I phone my bank, as part of the validation process they ask me to correctly state certain key characters of my password...

Me : Err.. it's kind of a sad Japanese looking girl with rosy cheeks and a tear in her eye.

Bank : And letter number seven?

Me : It's a happy looking dog.

Bank : No that's incorrect.

Me : A miserable cat?

Bank : No.

Me : A happy horse?

How novel.

18. #### What a truly novel idea!

Ah. So the old ways of using a secret combination of several visually distinct symbols from a set of 10 for authentication are, well, old, and the bright new future is using a secret combination of several visually (not so) distinct symbols from a set of 44?

Whoever came up with that unique and creative idea is certainly a genius and deserves a large bonus.

19. The problem I see with this is we all whether we are concious of it or not - choose something that forms a pattern. The chances are that the emoji picked will form a story in users brain. It would be interesting for a study to be done with a large number of people - where the emoji picked are recorded - and then find out how many of the full library of available emoji are actually picked as the starting emoji, you could then find out how many real possible combinations there are after the starting emoji.

20. #### how about using letters and numbers

I know its a bit radical but that could also work

yes yes people will use the name of their dog/cat/pet thing and they will be easy to guess but I guess some combinations will be more popular than others anyway

21. #### Too many crackheads with bright ideas

No, just no absolutely no. Don't waste your (and our) time with this nonsense, PLEASE.

Life is full of useless crap already without adding even more useless crap like emoji's to authentication.

22. #### Quote: "should users pick emojis in sequential order"

So randomise the layout of the input screen each time!

That also stops people from using placement patterns, which are common on keyboards. (e.g. people doing 1793 on a key pad (i.e. the corner keys).

Password cracking tools these days, not only do dictionary lookups and substitution etc. they look for key position input patterns (qwerty etc).

23. "And dogs communicate by sniffing each other's backsides. Maybe that would make a good authentication method."

Hmmm, so you've just dropped your kecks and are about to point your buttocks at the ATM's "Sniff-O-Matic(TM)" sensor, when someone comes up and either parks their bike or <http://ars.userfriendly.org/cartoons/?id=20150602>

24. #### Oh man

Imagine the conversation setting up a bank account.

Banker: Ok please set a pin.

Punter ok. Smileyface Smileyface Cumface Clownface

Banker: Excellent. When you use your card for the first time you will be asked to change your PIN.

Hah!

25. As Ren and Stimpy once declared, "Happy Happy Joy Joy!" :)

26. #### Ok, so what's the difference....

...between smilies, emoticons and emojis?

1. #### Re: Ok, so what's the difference....

Smilies - pretty straightforward and nicely understood plain ASCII composite glyphs.

Emoticons - message board graphical representations of smilies. Quite neat in their day.

Emojis - a cancer, a virulent cancer. Should be about as popular as an STI in a whore house. Nuke from orbit, yes that's probably about right.

27. #### Patent?

"...the concept is likely not able to be patented but is probably the first of its kind."

It's ok, we've just found the USPTO and they've granted us a patent with no questions asked as long as we paid the fee immediately (cash only).

28. #### The new 1234 will be

Four poop emojis...

While there may be 480x emojis as digits, and maybe someday 4800x as many, most people will use a much smaller subset. On my iPhone, the recently used emojis are maintained to make them easier to type - that's where the ones you use for PINs would be, so an attacker would go from 10^4 to maybe 30^4 permutations at most.

29. #### Hmm young and emoticons

Erm,,,,,,,,,weed leaf,weed leaf,weed leaf,spliff ........cool man no one will guess that

30. #### Re-invented?

It appears that what have been around commercially for 15 years is now getting re-invented.

Such a story-involving picture password has, for instance, long been a component of Expanded Password System shown at

31. #### Utter rubbish

There are far less combinations than upper lower case + symbols and numbers.

And we know that people will likely gravitate to certain, even more limited emoji combinations.

32. #### The modern age ....

Seems to be one where the technology gets smarter and smarter so that people can get stupider and stupider.

Who remembers hand calculation with tables of logarithms?

## POST COMMENT House rules

Not a member of The Register? Create a new account here.