Deborah M. | July 03, 2015

Can emoji passwords confuse hackers?

Baseball. Football. Monkey.

Using any of those words — all of which landed in the Top 20 on a list of the 500 worst passwords of all time — to protect online accounts is the equivalent of giving hackers engraved invitations and keys.

But what if the word baseball is replaced by a cartoon image of the object? What if all three words are turned into symbols and used to replace the current mishmash of numbers, letters and traditional keyboard characters that make up the standard password?

Could emojis be the key that finally locks hackers out of secure networks for good?

Intelligent Environments, a U.K.-based financial software firm began testing the theory on Monday with the introduction of what it referred to as “the world’s first emoji-only password.”

Using a database of hundreds of emojis — cartoon symbols used in place of words in text messages and on social media sites — the company said its new system comes with 3.5 million different potential four-character password combinations and an added bonus of memorability that doesn’t come with letters and numbers.

In addition to saving customers headaches, it could save millions of dollars. A report by Cambridge, Mass.,-based Forrester Research says labor costs associated with password changes are around $70 per reset.

Tony Buzan, London-based author of “The Memory Book: How to Remember Anything You Want,” endorsed emojis passwords as a method that is more in touch with the brain’s natural learning patterns in a video posted on Intelligent Environments’ website.

“Forgetting passwords is because the brain doesn’t work digitally or verbally, it works imagistically,” said Mr. Buzan, inventor of Mind Maps

Beyond memory, introducing new ingredients into the current password stew can only increase variety and hamper hacking attempts, according to Adam Levin, founder of Scottsdale, Ariz.,-based identity protection firm Identity Theft 911.

“Anything we can do that is creative and innovative and gives us a new way to look at passwords, which unfortunately have been a disaster, is great,” he said.

Still, not all experts believe the idea will gain traction.

“It already has limits on it and the limits are a lot of things don’t use [emojis] right now. It’s not available on keyboards, Web apps don’t take it. It’s a whole other platform that would need to be adopted,” said Jeff Smith, information security officer for Oakland-based cybersecurity training firm Wombat Security.

Folding emojis into the infrastructure of millions of websites and applications would require a level of manpower and funding that Mr. Smith said even he couldn’t accurately predict.

Costs aside, he said the effort would ultimately fall short once hackers adapted the same techniques used with letters and numbers for symbols.

“A brute force app can load a dictionary full of combinations of numbers, letters characters. If it’s programmed to let it run it will come across your password and it can do the same thing for pictures,” he said.

Replacing a favorite food with a picture of a hamburger won’t make passwords any less predictable either.

“If a password can have four or five pictures, most people in the world are just going to pick the same five favorite pictures. Then you would only need to load seven or eight pictures for a brute force app to find the password,” said Mr. Smith.

Mr. Smith and Mr. Levin agreed that security with multiple layers of authentication, including biometric identifiers, such as iPhone’s fingerprint-scanning Touch ID, is the most likely next step in digital security.

Before that breaks into the mainstream, Mr. Smith emphasized the most important security features are old-school best practices.

“If there is a password policy in place from your IT department, if you have to have 12 characters, a capital letter, a special character and use a number, that’s what keeps you from being breached,” he said.

Deborah M. Todd: dtodd@post-gazette.com, 412-263-1652 or on Twitter @deborahtodd.

Read the full article on the Pittsburgh Post-Gazette