Skip to content ↓ | Skip to navigation ↓

What more can be done about passwords?

We tell users to choose unique, complicated passwords that contain a gallimaufry of bizarre characters – and they tell us they’re impossible to remember, especially when they need to remember different passwords for the many different websites out there.

We tell computer users to get help with remembering their complex login credentials by using a password manager, and most of them look at us like we’re talking Esperanto.

The result? People continue to use passwords like “Password1”, or their favourite soccer team, or their year of birth as their supposedly secure PIN code.

Ideally, I would hope that people would adopt password management software – as it can do such a good job of generating complex, truly random passwords, and storing them securely for easy retrieval when required. But it seems the great unwashed public isn’t entirely ready for that as a solution.

So, to be practical, we need to look for other solutions.

Enter UK tech firm Intelligent Environments, who late last week gave me a sneak preview of their proposed solution to the problem – emoji passcodes.

It’s a neat idea – especially as people typically find it so much easier to remember stories and pictures than numbers and words.

Intelligent Environments work with banks to develop interfaces and systems that you and I might use when checking into our online accounts. So the prototype they showed me isn’t necessarily how the system would end up looking in your own bank’s app, as it would no doubt be customised to the bank’s requirements, but it gives some indication of how the system would work.

First things first, it’s unlikely that any bank would demand that you use emojis for your security passcode. That’s good for curmudgeons like me who get almost as grumpy about emojis as selfie sticks, and also for those whose middle-aged eyesight has deteriorated to such an extent (also me) that it’s pretty hard to tell one emoji from another without a magnifying glass.

Sign-in method

So, if you prefer to use a passphrase or a PIN code then you can continue to do so (bank willing).

But if you decide you wanted to setup an emoji passcode then you would be presented with a screen like this.

Emoji keyboard

Now, in the demo I was shown there was only the option for four emoji characters. But that, again, would be entirely up to the bank. It would be trivial to make the system work with six, eight or more if greater security was required.

You’ll also notice that Intelligent Environments isn’t using the standard emojis which come with modern operating systems. Instead, they have made their own. This is intentional because so many emojis are similar with only small differences, which would perhaps make correct selection and remembering more tricky.

And again, clearly, different banks could design and choose their own emojis as they wished. Some may not want one of the smiley poo for instance.

Emoji successAdditionally, rather than offering users the daunting choice of thousands of emojis to thumb through, in the demo they offer just 44 (the top right graphic on the keyboard is a delete button).

44 may not sound like much. But a traditional four digit PIN only provides 7,290 unique permutations of non-repeating numbers. An emoji passcode of the same length gives you “3,498,308 million unique permutations of non-repeating emojis, based on a selection size of 44 emoji.”

That’s quite an improvement.

Of course, there are other considerations.

For instance, should the emojis be displayed in a random order to prevent bias to one particular selection? For instance, if the emoji selection screen was static might we see a bias towards passcodes in the top left hand corner? Would flamenco dancers playing football while carrying scissors in the sunshine become a popular passcode!?

Emoji password

I would hope in any roll-out of the system, the order of emojis would be randomised – and, of course, the fact that different banks can choose different emojis would help prevent users from repeating the same passcodes on multiple systems.

Quite how users would record their emoji passcode in their password vault I’m not so sure about – maybe write it out long hand? – but all in all, this seems like a novel idea to an ongoing problem that could suit some people very well.

We’re used to banks taking security very seriously. After all, they’re the ones with all the money – so they have the most to lose.

Which has made it all the more baffling that we protect access to our bank accounts via cash machines with a simple 4 digit code rather than the kind of complex password any self-respecting website would demand you choose.

Yes, a hole-in-the-wall ATM does require you to be carrying your cash card as well, but it sends a bizarre message for banks to be seemingly teaching people that a code from 0000 to 9999 should be enough to lock up your worldly riches.

Maybe in the future we can hope to see the numerical keypads in ATMs replaced by touch screens showing us emojis instead… that may be a while off, but don’t be surprised if some banking apps start to ask you for your emoji passcode sooner rather than later.

Hacking Point of Sale
  • MapLogin is an alternative to the normal textual password. The method works by identifying a location on a map image, much like recalling a hidden treasure. https://tildexe.appspot.com/

  • David L

    Hi Graham,

    Two years ago I had one account sign in that was using an emoji like image,but it was after user name and password,and used like a secret question,and sometimes they asked for that too. So it was a three to four step sign in process with the image being the second step. This was to protect you from spoofed login pages. You might lose your password to the criminal,but they still could not access your account,so it acts like 2 factor in a way.

  • Thomas

    So, they have effectively demonstrated that you can substitute one character set for another… so what's the technological breakthrough here?

    Once you get passed the novelty of using pictograms rather than numbers and letters, an emoji passcode (with 44 icons) would obviously give you more possible combinations than a 4-digit pin code, but it wouldn't be as many combinations as an alphanumeric passcode (with upper and lowercase letters – 62 characters).

    And is there any psychological research to indicate that a string of icons is more memorable than letter and numbers? And how do you handle password resets and/or password hints?

    :-)

    • Coyote

      Indeed. I thought similar. Also, for the banks (or actually any site/device) that aren't foolish enough to disallow non-alphanumerical characters (or don't have an interface for it) you have even more characters.

      As for your latter question: no; I'm calling nonsense on that claim. It depends entirely on the person and how their brain works. Personally I would have a much easier time remembering a complicated password (or passphrase where relevant) than a bunch of images. The images rather sicken me although that is partly because I hate emoticons (at least graphical). But even if I didn't dislike them, I would have a harder time remembering them. Telling a story? That doesn't resonate with me at all. It might be easier for some but not all, especially with the amount of images (and images that are fairly similar!). Yet the better option is a password manager. If sites would start to understand, also, that limiting to alphanumerical (only) or alphanumerical and only a few non-alphanumerical characters, it would be better still. But unlikely. As for password hints… well, it would be better if they actually got rid of such a stupid concept. If nothing else they could make them better (by a lot). But that is unlikely to happen and consequently they seldom are all that great. The most likely questions are questions that you can generally find out with basic research on the target. Sure, some will lie and that's fine, but that doesn't mean the system is sound. I avoid password hints as much as possible; there are better ways for recovery, anyway. But try telling that to the masses.

  • prkralex

    The emoji passcode <a title="system" href="http://www.cbronline.com/news/mobility/security/emoji-banking—or—4601617">system was launched following research, which showed that most of the people in the UK find it hard to remember numerical passcodes.

    A survey of more than 1,300 people revealed that nearly a third have forgotten their PINs before with one in four saying they use the same PIN for all their cards.

  • Uri

    Emoji passcodes aren't more secure in any way, it's just replacing one set of unicode chars with another one, still falling under the same category as "something you know".

    BTW, just after OLB pages started to use virtual keyboards (to protect their users from keyloggers), the fraudsters implemented a screen scrapping functionality (screenshots) into all of their Banking Trojans.

    Taking a screenshot of the victim's login screen is easy, therefore this login system won't really protect anyone.