Could emojis be the future of online security?
One company is claiming so, suggesting replacing four-digit passcodes with a four-digit emoji string would be almost 500 times more secure. So should we ditch or pins for smiley faces?
The British start-up at the heart of the claims, Intelligent Environments, trumpets numerous other benefits as well. It cites “memory expert” Tony Buzan, who says that an emoji passcode “plays to humans’ extraordinary ability to remember pictures, which is anchored in our evolutionary history”.
“We remember more information when it’s in pictorial form,” Buzan adds.
And naturally, anywhere the word “emoji” appears, the word “millennial” soon follows. Intelligent Environments’ managing director, David Webber, says the company “had input from lots of millennials when we developed the technology”.
“Our research shows 64% of millennials regularly communicate only using emojis,” Webber says, “so we decided to reinvent the passcode for a new generation by developing the world’s first emoji security technology.”
But can their claims actually be true? Is an emoji passcode really more secure than a pin?
The simple answer is: yes. A traditional four-digit pin is an absurdly weak authentication system, offering just 10,000 variations (even fewer when you account for the fact that certain common combinations, such as 9999, aren’t allowed by most banks). That’s why ATMs eat your bank card if you guess the pin wrong too many times: if you were allowed to guess indefinitely, even a slow typist could access a stolen card in less than a day.
That’s because a pin code has ten possible digits – the numbers 0–9 – and four places for those digits to go. Ten to the power of four (or 104) is 10,000, which is the number of possible pins.
By contrast, the emoji passcode offers a choice of 44 emoji, and four slots, offering 3.8 million different passcodes (because 444 = 3,748,096). It’s not quite the 480 times more secure that the company promised, because they assume that you won’t use the same emoji or digit twice in any one passcode, but it’s still a significant improvement.
But don’t put all your investments in emoji-based security just yet. The fact is, pin codes are basically the worst authentication system known to man. Inventing a system better than them is like selling a home security solution and proudly showing off that it’s better than hiding the key under a flowerpot.
For instance, an eight character password that only uses lower-case letters offers 208 billion combinations, making it 55,000 times better than an emoji passcode. And most banks would rate an eight character lower-case password as “bad” security. A ten-character password using a mixture of upper and lower case letters, as well as numbers and special characters offers 7510 (that’s 5 quintillion combinations) – making it 1,502,456,572,870 times better than an emoji passcode.