What more can be done about passwords?
We tell users to choose unique, complicated passwords that contain a gallimaufry of bizarre characters – and they tell us they’re impossible to remember, especially when they need to remember different passwords for the many different websites out there.
We tell computer users to get help with remembering their complex login credentials by using a password manager, and most of them look at us like we’re talking Esperanto.
The result? People continue to use passwords like “Password1”, or their favourite soccer team, or their year of birth as their supposedly secure PIN code.
Ideally, I would hope that people would adopt password management software – as it can do such a good job of generating complex, truly random passwords, and storing them securely for easy retrieval when required. But it seems the great unwashed public isn’t entirely ready for that as a solution.
So, to be practical, we need to look for other solutions.
Enter UK tech firm Intelligent Environments, who late last week gave me a sneak preview of their proposed solution to the problem – emoji passcodes.
It’s a neat idea – especially as people typically find it so much easier to remember stories and pictures than numbers and words.
Intelligent Environments work with banks to develop interfaces and systems that you and I might use when checking into our online accounts. So the prototype they showed me isn’t necessarily how the system would end up looking in your own bank’s app, as it would no doubt be customised to the bank’s requirements, but it gives some indication of how the system would work.
First things first, it’s unlikely that any bank would demand that you use emojis for your security passcode. That’s good for curmudgeons like me who get almost as grumpy about emojis as selfie sticks, and also for those whose middle-aged eyesight has deteriorated to such an extent (also me) that it’s pretty hard to tell one emoji from another without a magnifying glass.
So, if you prefer to use a passphrase or a PIN code then you can continue to do so (bank willing).
But if you decide you wanted to setup an emoji passcode then you would be presented with a screen like this.
Now, in the demo I was shown there was only the option for four emoji characters. But that, again, would be entirely up to the bank. It would be trivial to make the system work with six, eight or more if greater security was required.
You’ll also notice that Intelligent Environments isn’t using the standard emojis which come with modern operating systems. Instead, they have made their own. This is intentional because so many emojis are similar with only small differences, which would perhaps make correct selection and remembering more tricky.
And again, clearly, different banks could design and choose their own emojis as they wished. Some may not want one of the smiley poo for instance.
Additionally, rather than offering users the daunting choice of thousands of emojis to thumb through, in the demo they offer just 44 (the top right graphic on the keyboard is a delete button).
44 may not sound like much. But a traditional four digit PIN only provides 7,290 unique permutations of non-repeating numbers. An emoji passcode of the same length gives you “3,498,308 million unique permutations of non-repeating emojis, based on a selection size of 44 emoji.”
That’s quite an improvement.
Of course, there are other considerations.
For instance, should the emojis be displayed in a random order to prevent bias to one particular selection? For instance, if the emoji selection screen was static might we see a bias towards passcodes in the top left hand corner? Would flamenco dancers playing football while carrying scissors in the sunshine become a popular passcode!?
I would hope in any roll-out of the system, the order of emojis would be randomised – and, of course, the fact that different banks can choose different emojis would help prevent users from repeating the same passcodes on multiple systems.
Quite how users would record their emoji passcode in their password vault I’m not so sure about – maybe write it out long hand? – but all in all, this seems like a novel idea to an ongoing problem that could suit some people very well.
We’re used to banks taking security very seriously. After all, they’re the ones with all the money – so they have the most to lose.
Which has made it all the more baffling that we protect access to our bank accounts via cash machines with a simple 4 digit code rather than the kind of complex password any self-respecting website would demand you choose.
Yes, a hole-in-the-wall ATM does require you to be carrying your cash card as well, but it sends a bizarre message for banks to be seemingly teaching people that a code from 0000 to 9999 should be enough to lock up your worldly riches.
Maybe in the future we can hope to see the numerical keypads in ATMs replaced by touch screens showing us emojis instead… that may be a while off, but don’t be surprised if some banking apps start to ask you for your emoji passcode sooner rather than later.