My next class:

My Password is [taco] Using Emojis for Stronger Passwords

Published: 2017-02-07. Last Updated: 2017-02-07 16:00:14 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

When I tried to include the [taco] Unicode characters in the headline to this post, it cut off the headline. Supporting Unicode isn't easy, and often, to avoid security issues arising from Unicode, it is removed or outright blocked.

But in particular, mobile devices make it easy to type Emojis or other Unicode characters. As a "security guy", my next question was if I can use them as part of my password. The quick answer: support varies... and don't count on it. 

One issue I was a bit worried about is that multibyte characters often include the 0x00 byte. This can cause issues since the 0x00 byte is often used to terminate strings. So I set up a quick test page to figure out if any of the PHP or MySQL hashing functions are susceptible to this issue. the Smiley character, for example, has a code of 0x1f600. The "00" byte could terminate the string, and all passwords starting with the Smiley character would result in the same hash. My initial testing hasn't found any issues like this, but I think this is an area that does require a bit more testing, in particular if a salt is added to a password prior to hashing. 

If you want to play, I setup a quick test page with various PHP and MySQL hash functions: https://isc.sans.edu/emojitest.html

(and while you play, I will see if I can make the diary editor "emoji capable" ;-) )

Keywords: emoji password
3 comment(s)
My next class:

Comments

I unfortunately can't get the link to work?
The link shows "Sorry, the page you where looking for could not be displayed at this time."
I think you may be wrong on this one. The most popular encoding on the Internet is UTF-8 and in this encoding it's pretty impossible for incidental null byte to appear in a text string. Here's the excerpt from man(7) UTF-8:

--- CUT ---

Encoding
The following byte sequences are used to represent a character. The sequence to be used depends on the UCS code number of the character:

0x00000000 - 0x0000007F:
0xxxxxxx

0x00000080 - 0x000007FF:
110xxxxx 10xxxxxx

0x00000800 - 0x0000FFFF:
1110xxxx 10xxxxxx 10xxxxxx

0x00010000 - 0x001FFFFF:
11110xxx 10xxxxxx 10xxxxxx 10xxxxxx

0x00200000 - 0x03FFFFFF:
111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx

0x04000000 - 0x7FFFFFFF:
1111110x 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx

--- CUT ---

As you can see, NULL byte can only appear as 7-bit ASCII NULL char.

Cheers!

Diary Archives