this post was submitted on 03 Nov 2023
301 points (87.2% liked)

Technology

59578 readers
2932 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] jordanlund@lemmy.world 176 points 1 year ago (7 children)

Emojis are known to break systems in certain circumstances due to the way they're interpreted in certain character sets.

I guarantee people doing this will not only lock out their own accounts, but may even freeze some authentication servers.

https://www.pcmag.com/news/want-to-brick-an-iphone-send-some-emojis

https://www.itechpost.com/articles/75762/20170119/brick-iphone-using-emojis-plus-tricks-dont-know.htm

[–] abhibeckert@lemmy.world 49 points 1 year ago* (last edited 1 year ago) (3 children)

The website should feed your password straight into a well known hashing algorithm or key derivation function that has undergone a decade or more of careful scrutiny, without any other processing. The output will usually be a fixed length base64 or hex string.

There's a short list of about three options that are currently considered acceptable, and a few more are probably fine but are a little too easy to crack these days (e.g. anything that shares the same math as bitcoin... what if someone throws a mining datacentre at your password?)

If the site breaks, maybe you don't to be a customer of that service.

[–] NightAuthor@lemmy.world 18 points 1 year ago

Can you still log in to wellsfargo accounts using the T9 translation of your password?

[–] Vilian@lemmy.ca 8 points 1 year ago

make one account with emoji password to test their system, if it break, good, go create hour account somewhere else

[–] lemmyvore@feddit.nl 6 points 1 year ago (2 children)

It's not the processing on the server that's the problem. To reach the server the password needs to go through several layers of character encoding, if any of them fails the server will receive something different from what you meant. And when you try to login from another device and the layers will be different you'll effectively be sending a different password.

[–] ricecake@sh.itjust.works 4 points 1 year ago (1 children)

The same character encoding that would break emoji would break a significant portion of the words names, so if your system can't handle it, then you deserve all the trouble that you run into.

Unicode isn't that hard.

[–] Dark_Arc@social.packetloss.gg 1 points 1 year ago

You're not wrong, but some systems, especially smaller ones are intended for English-only situations (or originally were) so non-English language situations might not be as well tested and/or may cause things to break.

Remember there are some sites that still refuse service if you put a " in your password. I'm not saying it's right, but it's a definite possibility.

[–] lolcatnip@reddthat.com 0 points 1 year ago (1 children)
[–] Dark_Arc@social.packetloss.gg 1 points 1 year ago

That is very much not a 90s problem. Especially if the company has a website and an app or is a small company not thinking about these things.

In theory this shouldn't be an issue but it definitely could be an issue on certain services.

[–] Arin@kbin.social 28 points 1 year ago* (last edited 1 year ago) (1 children)

auth servers breaking from emojis would be hilarious, pretty sure that's why older auth servers only allow certain symbols in passwords

[–] jordanlund@lemmy.world 35 points 1 year ago (1 children)

"Your password '🤣umådbrø⁉️' is breaking our server. Please change it."

[–] mindlight@lemm.ee 9 points 1 year ago

"Of course. What is the server's root password?"

[–] Kusimulkku@lemm.ee 13 points 1 year ago

If some auth server breaks because I put emojis in my password then that's right and deserved

[–] viking@infosec.pub 7 points 1 year ago (3 children)

Sounds like a crappy implementation of the authentication server then, and the sysadmin deserves a paddlin' for not stripping non-UTF characters (or making sure they work).

My problem with using emojis as part of the password would rather be that while I might be able to enter them on my personal Android phone using the exact keyboard app I have installed right now, I might find myself struggling on a desktop computer or any other phone that doesn't have this exact keyboard installed. After all, the graphical representation of the same emoji might look different there, and there is a chance I couldn't even recognize it.

So if anything, I'd say use a non-UTF keyboard like Thai or Chinese, but then a standard character in that specific type. Keyboards layout can be installed across devices and are fully standardized, even if the same character looks slightly different.

[–] Username@feddit.de 17 points 1 year ago (1 children)

Stripping characters from passwords, great idea! Right up there with truncating passwords that are too long.

[–] kuneho@lemmy.world 3 points 1 year ago

also some OSKs put whitespaces after inserting an emoji, some doesn't. there's no unified emoji input method yet.

[–] lolcatnip@reddthat.com 2 points 1 year ago

There's no such thing as a non-UTF8 character. You mean non-UTF8 bytes? If a system sees those, it should reject the entire input, not try to patch it up.

[–] lolcatnip@reddthat.com 4 points 1 year ago (1 children)

OTOH, there is only one character set that matters, and any system using a different one is, by that fact alone, broken.

[–] jordanlund@lemmy.world 0 points 1 year ago (1 children)
[–] lolcatnip@reddthat.com 4 points 1 year ago (1 children)

I said only one that matters. So I already did pick one. It's called Unicode.

[–] jordanlund@lemmy.world 0 points 1 year ago (2 children)

UTF-8 and UTF-16 pretty much do everything, but if you have a UTF-16 emoji in a UTF-8 system, you'll have a bad day. :(

[–] lolcatnip@reddthat.com 4 points 1 year ago (1 children)

Those are encodings, not character sets.

[–] jordanlund@lemmy.world 1 points 1 year ago

IANA calls them character sets, it's literally in the URL twice, that's good enough for me!

[–] rafa@lemmy.world 1 points 1 year ago

No need to tell us how you feel every day

[–] 50gp@kbin.social 4 points 1 year ago* (last edited 1 year ago) (1 children)

and there are many trash implementations that dont recognise something like :emoticon: as shortcut and turn it into emoji, no no you have to use emoji keyboard to type them

[–] Salamendacious@lemmy.world -5 points 1 year ago (2 children)

That only applies to iphones that came out 2016 or earlier and we're never updated right?

[–] Funwayguy@lemmy.world 24 points 1 year ago (1 children)

Hahaha, I wish.

You would be amazed at how ancient and poorly maintained many web servers are on the modern internet. SQL injection still consistently make the top 3 web app vulnerabilities as of 2021. If that isn't being sanitized properly I don't expect emojis would be handled much better.

[–] Salamendacious@lemmy.world 4 points 1 year ago

Thanks I wasn't aware of that

[–] jordanlund@lemmy.world 7 points 1 year ago* (last edited 1 year ago) (1 children)

For that particular bug, yes, but there have been many other variations on that theme and not limited to Apple tech. I've seen it nuke an email send for example because the SMTP server choked on emojis placed in a subject, to, or from line.

[–] Salamendacious@lemmy.world 3 points 1 year ago

Thanks I appreciate the clarification