HackDig : Dig high-quality web security articles for hacker

«No Previous
No Next

My Password is [taco] Using Emojis for Stronger Passwords, (Tue, Feb 7th)

2017-02-07 13:50

When I tried to include the [taco] Unicode characters in the headline to this post, it cut off the headline. Supporting Unicode isnt easy, and often, to avoid security issues arising from Unicode, it is removed or outright blocked.

But in particular, mobile devices make it easy to type Emojis or other Unicode characters. As a security guy, my next question was if I can use them as part of my password. The quick answer: support varies... and dont count on it.

One issue I was a bit worried about is that multibyte characters often include the 0x00 byte. This can cause issuessince the 0x00 byte is often used to terminate strings. So I set up a quick test page to figure out if any of the PHP or MySQL hashing functions are susceptible to this issue. the Smiley character, for example, has a code of 0x1f600. The 00 byte could terminate the string, and all passwords starting with the Smiley character would result in the same hash. My initial testing hasnt found any issues like this, but I think this is an area that does require a bit more testing, in particularif a salt is added to a password prior to hashing.

If you want to play, I setup a quick test page with various PHP and MySQL hash functions: https://isc.sans.edu/emojitest.html

(and while you play, I will see if I can make the diary editor emoji capable-) )

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Source: ssr;pma&24022=diyrots?lmth.yraid/ude.snas.csi

Read:2563 | Comments:0 | Tags:No Tag

“My Password is [taco] Using Emojis for Stronger Passwords, (Tue, Feb 7th)”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud