Skip to content
Naked Security Naked Security

Can emojis save you from a terrible password?

Researchers might have discovered a simple way to get more computer users to opt for strong passwords - tell them how easy their weak choices would be to hack.

Researchers might have discovered a simple way to get more computer users to opt for strong passwords – tell them how easy their weak choices would be to hack.
The idea comes from research conducted by a team led by the University of Plymouth’s Centre for Security, Communications and Network Research (CSCAN), which tested the effectiveness of password advice strategies through two experiments.
In the first, 300 users creating a website account were offered either no password advice at all or were aided by a password meter, emotive feedback message or emoji.
The latter prompts improved matters a lot: password choices rated as “weak” dropped from 75% for the group offered no guidance, to a third for those given the emotive feedback.
In a second experiment, 500 users in the US were told how quickly a hacker might crack their password choice, causing them to choose passwords that were longer and up to ten times as strong as a result.
This points to a curious effect: the way you tell people what they’re doing wrong can be as important as the fact you’re telling them at all.
Or, if you like, the abstract rating of a password meter isn’t likely to be as effective at changing human behaviour as an alarming message telling people their hopeless password is going to make like easy for criminals.


Ideally, sites shouldn’t allow users to create weak passwords in the first place, regardless of whether advice on their weakness is offered or not.
Last year a study by Dashlane found that numerous big web brands are astonishingly lax on this score, with some imposing apparently-sensible eight-character limits without also disallowing these from simply being a single character repeated eight times (‘11111111’).
But even sites that already have tight policies in place might be able to boost password security further by giving users strongly-worded feedback.
Study co-author, Professor Steve Furnell:

A common weakness in the provision of security is that while relevant features are present and available to be employed, users are often expected to use them with little upfront guidance, or ongoing support.

It’s as if some sites are reluctant to be too insistent about password strength in case they put users off. If so, adding emotional cues could be a way to overcome this.
It’s also true that even the best-crafted password counts for nothing if it has already been compromised.
On that front, Troy Hunt’s Have I Been Pwned (HIBP) site recently launched version two of Pwned Passwords which allows anyone to check a password to see whether it’s on the compromised naughty step – using one that turns up here would be a major security risk.
Or perhaps passwords are one of those insoluble conundrums and admins should focus instead on layering security using password throttling (limiting incorrect guesses), making sure password reset systems aren’t a backdoor, and enforcing multi-factor authentication.
For anyone who believes there is always a right way and a wrong way to make a password, feel free to read our password advice.

8 Comments

I like this idea a lot. The problem with online password strength gheckers is that they are online and potentially susceptible to breaches themselves. If some enterprener would buld a local strength checker that we could run form inside our network, I would be the first to support it.

Almost all of them are local because they run entirely in the browser. However, they are almost all dreadful. And this is why…
https://nakedsecurity.sophos.com/2016/08/17/why-you-still-cant-trust-password-strength-meters/

you beat me to it :) and saved me from having to search this site to find the article. Have a thumbs up :)

!h8Em0gz
My favorite password: Supercalifragilisticexpialidocious. with various character changes, acronyms, dates tossed in different spots, name of the site used in in the front of it. but it’s rare to find a place that lets you use long passwords… so I don’t use it… also would take an extra 30 min out of my day to type it in several times lol

It doesn’t have to be *that* long to be strong:
https://nakedsecurity.sophos.com/2014/10/01/how-to-pick-a-proper-password/

The only way to get users to produce and use better, more disparate, passwords is through a password management tool.

What do you recommend for password management tools that make it easier not to reuse passwords?

We’ve written a range of articles on Naked Security in recent years covering everything from the risks of password managers, the benefits of password manager, and reviews of some of them…
…try putting “password manager” in the search box and taking it from there.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?