Are Emojis the Answer to Stronger Passwords?
As I’ve stated before, passwords are like cockroaches. No matter how hard the identity community tries, they keep scuttling out of the corners – another SaaS new app here, another new mobile app there. And though federation adoption is increasing, legitimate concerns over relying parties being given more data than they require are impacting the consumer market.
So passwords aren’t going away. Once we acknowledge that, it’s time to also acknowledge that common wisdom about what makes a password secure is also outdated. Research on how password attacks are actually performed and how passwords are often successfully obtained by other methods, and resulting updated guidelines from NIST and Microsoft, indicate that it’s time we change password policies to acknowledge these realities.
One interesting finding of this research is that despite strong password guidelines, the human brain can only handle so much complexity. When confronted with a draconian password policy, we tend to fall into predictable patterns. (How many of us have appended a “1, “2”, then “3” on successive passwords? Okay, perhaps not this audience. But certainly your aunts do.) And hackers know how to exploit these patterns to crack your password. As a result, one recommendation is that authentication systems get smarter to reduce the burden on the user.
For example, why not allow spaces or even emoji in a password? Users have been programmed to not use these patterns, but there’s no reason that authenticators can’t be updated to handle these Unicode characters.
Since they have potentially such a wide impact, password policies are slowly and carefully updated. But as identity and security professionals, it’s our job to embrace the world as it is and adapt our policies to combat what’s really happening out there in the wild.
By Sean Deuby, Identity Architect, Edgile
View More Posts