
I included emoji in my password and now I can't log in to my Account on Yosemite - gdeglin
http://apple.stackexchange.com/questions/202143/i-included-emoji-in-my-password-and-now-i-cant-log-in-to-my-account-on-yosemite
======
Twisell
And this is a perfect reminder that you should never try some crazy things on
your only administrator account on your production machine.

Had he test his point on a dummy account : delete account = problem solved

~~~
dlitz
Well, really, it should just work or OSX should prevent this from happening in
the first place.

Emoji are common among non-technical users---exactly the market that Apple
supposedly caters to---and why would anyone expect a non-technical user to
know that using emoji in a password would be considered "crazy", without
knowing the extensive legacy of pre-Unicode systems, the location of many
emoji outside the Basic Multilingual Plane, their relatively recent inclusion
in Unicode 8.0, etc etc.?

It is a mistake to blame the user for something like this.

~~~
notfoss
Not trying to excuse OSX's behaviour, but non-technical users are the ones who
use passwords like: abcdef, 123456, password123, etc.

In fact, using such characters (emojis, other unicode characters, etc.) in
passwords should be considered a secure practice.

~~~
dragontamer
Technical users use Diceware because its the best way for the human mind to
capture entropy.

[https://en.wikipedia.org/wiki/Diceware](https://en.wikipedia.org/wiki/Diceware)

Its the non-technical users who try the silly stuff. A diceware password with
4 words is 51-bits of entropy. 5 Words gets you 64-bits of entropy.

For example, if you remember that "U+2708" is the Airplane emoji, why not just
type the string "U2708" on the end of the password (ex: MyPasswordU2708). The
longer password is going to add provably the same amount of entropy, and will
work with virtually any system.

~~~
valarauca1
The old bits of entropy count is based on extended ASCII. In reality we could
count UFT-8 code points, with each code point having 1/#code_point entropy.

As a brute force guesser can throw UTF-8 chars instead of attempting to
rebuild emoji from their underlying ASCII string.

~~~
jerf
"with each code point having 1/#code_point entropy."

That requires that users be uniformly-randomly selecting Unicode characters.
There's a number of problems with this idea, most notably that the resulting
password would have an insanely high "difficulty to type"/"bit of entropy"
ratio. By the time you're through your third keyboard mode switch or third
character typed in via generic Unicode hex entry, a 4-word passphrase user
already has logged in and opened their browser.

Mixing in a single Unicode character into your password might be sorta clever,
but you probably shouldn't rely on getting a lot more "bits" out of it.

~~~
valarauca1
Users don't uniformly select ASCII characters but generally we accept 1 char
of password length === 8 bits of entropy.

~~~
dragontamer
> 1 char of password length === 8 bits of entropy

Oh hell no. [https://xkcd.com/936/](https://xkcd.com/936/)

The "little obscure tricks" to increase the entropy of a password do NOT work
well with human memory. If your template is "Uncommon Word + Emoji + 5
tweaks", your entropy is 50,000 (the uncommon word) x (number of Emojis) x 5 *
8 (there are roughly 8 ways to "tweak" a word).

There are no more than 500 Emojis that people use. You're not getting much
entropy by choosing one. Now if you start choosing obscure Chinese words and
Arabic symbols, maybe you'd be getting somewhere (It requires mastery of
multiple languages to _really_ exercise that UTF-8 dataset).

But honestly, an English-speaker will get far more entropy by just adding two
more common words (top 5000) to their password. A new common word is worth a
hell of a lot more than an Emoji. A phrase of 8 words (ie a sentence) is also
very easy to memorize and contains a ton of entropy as well.

Even a simple sentence is impossible to brute force. The following sentence
has probably never been said in the history of humanity:

"My long password to gmail.com is a passphrase, the current sentence that I
just typed, lulz!"

That sentence is virtually unhackable and easy as heck to memorize. Sure, the
entropy is only a few bits per character, but the length makes it better. And
since it uses common letters, it is extremely quick to type.

So unless you plan on learning a new language to hit those obscure Unicode
symbols, I think its best to just stick with what your brain is already wired
to memorize: Words. Common English Words.

~~~
tracker1
The only down side to that, is when you're trying to enter it on your phone. I
do use sentences, but generally not that long... usually wind up with 15-20
characters, which is long enough. LastPass helps with some instances.

"F34r is the mind killer." as an example, does use replacement, but only in
one of the words, it's short enough that phone entry isn't too bad, and is
easy enough to remember. Given it's a phrase from a movie/book, but probably
good enough.

That said, I probably wouldn't have thought to use an emoji, I know some
people hate it, but I do filter whitespace at the beginning/end of protected
entry (reset codes, etc), as copy-paste + whitespace errors are more common
than leading/trailing whitespace in a password.

~~~
jerf
'"F34r is the mind killer." as an example, does use replacement,'

This is the sort of thing I mean, though, when I say we don't usually use
fully random replacement. 3 for e, 4 for a, $ for s, these things add very
little entropy overall because they are so common. We don't really use
"symbols" in our passphrases; we use only !@$& probably overall, and those in
highly stereotyped situations.

Suppose you know the first four characters of someone's password are "hous";
what's the next character? Big, big spikes around e and 3, maybe a smaller one
on E and i/I, then "everything else".

------
OSButler
A client once had an issue where his account got compromised and everything
pointed to having his actual login details leaked. His password was something
like his username plus an assortment of random characters. It turned out that
the system his account was on basically ignored everything after the 8th
character, so that you were able to login with the username as the password.

Also, during the early days of inline password generators, there were cases
where the suggested password was incompatible with the associated system.

~~~
TwoBit
That's how Schwab.com implements passwords. 8 characters max. For life savings
brokerage accounts.

~~~
INTPenis
Swedbank in Sweden have a feature where you can access an accounts entire
balance by generating random CC#'s for online shopping and this service is
protected by your social security number, a 6 character password, a-z, 0-9 and
no special characters allowed.

They've had this for at least 6 years now, maybe longer. Early on when I
e-mailed them about it they simply stated that it's not their service, in
other words; out-sourced.

~~~
emerongi
Swedbank also requires two-factor authentication. You can bypasss this by
calling them - they only ask for 1 thing to authenticate you. Two-factor
authentication is rather useless if you can just bypass it like that.

~~~
Zach_the_Lizard
>You can bypasss this by calling them - they only ask for 1 thing to
authenticate you.

The domain for my personal site is shared with my family. My father registered
the domain and all of the details in the account use his information. I had
just created an AWS account and wanted to move the site's DNS to Route53.

I was able to call into the domain registrar and get exactly zero of the
details correct, but they pointed the domain to Route53. It was hilarious how
bad it was. I used my social, my name, my address, etc., none of which matched
the info on file.

Even if I had used my father's info, it (except the social) would have been
wrong because we lived overseas on a military base. When your system says
Japan and someone from the US is calling, that should set off all sorts of
alarm bells.

------
bhaak
Such problems are the reason why I never use anything but ASCII letters as
passwords (if the system doesn't enforce arbitrary password policies). I'd
rather have a longer ASCII-only password than a shorter one I might not be
able to input.

There's also the issue that often you are not sure what keyboard layout is
current enabled and even such unsuspicious characters like ! or # are on
completely different locations on different keyboard layouts (then there's the
z-y swap on German derived keyboards and have you ever had a look at a French
keyboard layout?).

You can never be sure if a system locks you out after failed attempts, so I
want to be sure that there are as few error sources as possible.

~~~
ramses0
I got bit one time at work by setting a password as "$foo", instead of "foo$"
or "fo$o" ... turns out the password-setting script was written in perl and
Strange Things happened where only some systems got updated but not others.

Honestly, probably exploitable now that I'm thinking about it... I'll have to
stop by the security group and give them something to chew on over the
holidays.

~~~
realusername
I had the same problem at the university with a password with '*' in it. It
was actually some old bash script behind it which would update random things.

------
minikomi
Hmm. Not really related, but now that it seems to be fixed - I discovered that
using an equals sign in your name was enough to be "locked out" of Airbnb - it
wrecked the cookie & every page would return 403. No bug bounty though haha.
Guess it wasn't enough of an "attack vector" to try and convince someone to
change their name.

~~~
hahainternet
I know of an online store that if you use a + in your email address, will fail
to charge you for any goods you order.

I'm assuming because something somewhere on their backend assumes that '+' is
an invalid email character and refuses to process the job. This is
unbelievably common.

~~~
philh
I remember finding somewhere that let me sign up with a +, but not log in with
it - unless I disabled client-side validation, at which point the server was
happy to let me in.

~~~
arthurcolle
That's insanely insecure. Can't believe client side validation would be used
for a login system other than as a first check

~~~
philh
I still needed the password (or so I assume). It was just a first check that
was stricter than it should have been.

~~~
toxik
This is why backend and frontend need to share code!

------
Johnny_Brahms
I have had something similar bite me, although mine was easily fixed. I used
swedish (åäö) characters for my disk encryption password. This worked fine,
until I did a dist-upgrade and had my boot keyboard reset to US QWERTY (using
a custom swedish version of capewell-dvorak).

The solution for me was to stick on LTS distros.

~~~
moviuro
I'm pretty sure the standard US layout offers more than enough symbols to
write an excellent password.

I tend to prefer extremely long passwords/phrases over things that require
stupid characters (had trouble with WiFi keys using the French "é" back in
2008, all my passwords are ASCII since)

~~~
oneeyedpigeon
Of course, characters that I use in my everyday language aren't "stupid" to
_me_.

~~~
himlion
Even my name contains that "stupid" character :)

Although I have to agree with him I wouldn't use it in a Wifi password either.

------
golergka
On one hand, I want to leave a witty comment in the line of "play stupid
games, win stupid prizes".

On the other hand, I'm sad that I didn't try to do that myself.

------
paines
Many Linux installers suffered for years the situation that you would enter
you password in the setup process with a different keymap than the one you got
once the system then loaded, e.g. y-z were mismatched cause I was using QWERTZ
instead of QWERTY. I think I saw something similar lately with on of the
OSX'es.

------
grapeshot
The Chrome password manager still crashes the entire browser when trying to
save any password with emoji in it on Windows. Firefox works perfectly fine.

------
socket0
Well, the account is now secure. Objective achieved?

------
r00fus
Reminds me of a time in France when someone at a customer site complained they
were locked out of their laptop - his Win NT4 laptop had a QWERTY keyboard but
he put his password in french using the keyboard switcher in the OS. Back then
Windows didn't allow you to change keyboard type at the login screen - it kept
what you were using when you logged off...

------
msftie
In college I worked at an Apple store. One day while on break in the back of
the store, I changed my company account password to a lengthy sentence,
something at least 30+ characters. The system accepted the change.

When I tried to log in to the timeclock application again using the password,
it threw Null Pointer Exceptions (it was a Java app, incidentally). In order
to get back on the clock and get paid again, I had to reset my password -- but
entering my current password into the "old password" field caused the system
to throw more Null Pointer Exceptions.

I called Apple IT to do a manual reset of my password, and after explaining my
situation, the response a very cold, concise and condescending "why would you
do this..."

------
BorisMelnik
Was really surprised to see such a great solution and walkthrough. I had no
idea Mac's had "unicode text input" software on default machines. I wonder why
Window's hasn't upgraded charmap.exe over the years?

Ok and hear me out on this: a startup idea based on emoji passwords that
encodes/decodes emojis into their hex/binary equivalent. takers?

~~~
biot

      > a startup idea based on emoji passwords that encodes/decodes
      > emojis into their hex/binary equivalent.
    

Is "startup" now synonymous with "thing that I built in 2 hours and have no
ability to monetize"?

~~~
j42
Well, "startup" is a poor choice of words, but he actually has a half-decent
idea.

As someone who owns dozens of little "tool" sites (think less/scss converters,
meme generators, JS beautifiers, etc), I can tell you each is probably 1-2
pages, took an hour to build and thankfully due to some domain squatting (kw
in domain) and a low bounce rate I don't have to worry much about SEO.

As for the Adsense revenue, I think you'd be quite surprised.

One is an afternoon, not a startup idea.

50, on the other hand, could be passive income for a _very_ long time.

Just something to consider before jumping to negativity. ;)

~~~
kgtm
Interesting. I would love to hear more details, like how much traffic you are
bringing in total from these mini-apps and how much income from Adsense.

~~~
j42
I have two books in my queue actually, and this is one of them.

There are parts of my content-property model I'm not ready to share, but most
of it has been structured into a cohesive framework of how I:

1\. find niches 2\. automate site creation 3\. optimize w/ gpt (google
publisher tag)

I'm sorry to say I won't be releasing that first... The first is due within
the next 12-14 days, after which it should take me 1-2 months to finish
writing & editing the adsense-property-model guide.

To leave you with something tangible, it's very feasible to produce 5-figures
per day with only hosting cost as your overhead ($300/mo).

[edit] without automation tools though, it would obviously be _very_ tedious
to produce the number of properties required to have that kind of income by
hand. process flow & site generation/management is the crux of this strategy.

~~~
kgtm
Thanks for the reply. Does site creation involve pure content sites as well as
simple web apps? Or maybe some kind of hybrid for SEO purposes?

I would love to read more once you have something published. You should
consider adding some contact info in your profile so that people won't go on a
stalking expedition to find you (as i did) :)

~~~
j42
Hah, the way you phrase that makes me wonder what you found.

Right now really just web apps. Content sites are doable, and I know people
running networks, but it's not possible to do profitably without clickbaiting,
low-quality mass-produced content, and other greyhat techniques I don't
particularly like.

I think it's fair to show you an ad if I save you 30 seconds to a minute of
time. Creating garbage content slideshows with writers from the 3rd world
countries to rack up pageviews is one step over the line for me...

Simple apps are great because they have utility (so google always approves
your tag), and honestly the doubleclick exchange isn't so bad -- with enough
simple single-page apps, it accrues pretty quickly.

------
coldtea
You try to make things idiot-proof and they bring in better idiots.

1) The user tried to see if emoji can be used for the password.

2) Without checking on the web/forums/etc first.

3) On their main user account (not a disposable one).

4) With FileVault turned on.

I can't even...

------
nkrisc
Sure it's a silly thing to try, but this is entirely an oversight on Apple's
part and is squarely their fault. They had the power to make this situation
impossible and they didn't.

------
TazeTSchnitzel
I used ® as my password during (what Americans would call) middle school.
Alt+numpad works on the Windows XP login screen. It never caused me any
trouble.

------
RUG3Y
This is the funniest thing I've read in a while.

------
DonHopkins
You can use Emoji characters in Wifi network names. My network name is [POOP].
See what kind of fun you can have at the airport by making an ad-hoc network
called [AIRPLANE][BOMB].

~~~
gutnor
Seems to be a good way to be exempted of business trip to/from the US for the
rest of your life. Too bad it also affects leisure trips.

------
drdeca
I had problems when I set my admin username on my windows laptop to when
setting it up for the first time. It wouldn't let me do things which required
admin, iirc.

