Blog: Passwords

Change your password to smiling, winking, pensive, sleepy….

consultant-placeholder10 Ken Munro 17 Jun 2015


No doubt you saw the coverage in the press recently about using emoji based PINs instead of numeric PINs.

The logic was that by increasing the character set, a PIN becomes much more secure. The suggested emoji character set had 44 emojis to choose from.

Yes, by moving from 0-9 numbers to 44 emojis, one does increase complexity, but this is completely the wrong message to communicate! Length is important too.

We already have a character set that is better than numeric PINs. It offers 104 characters to choose from and is already enabled in virtually every mobile & desktop computing device out there.


…and it creates nice complex passwords for you to use. Maybe less practical to enter than a PIN when driving at 80 mph (but we don’t do that, do we) but you could choose your own limited character set to make it easy. Say lowercase only & 5 letters. That’s better than 4 emojis.

Now for some (loose) maths

Choosing 4 emojis from a set of 44 gives about 3.7 million combinations.

A 4 digit numeric PIN gives 10,000. Emoji win!

But all you have to do is make your PIN 7 digits and you’ve beaten emoji auth:

You get 10 million combinations with that, making for a PIN that’s 2.5 times stronger.

You didn’t have to learn anything new, you just used existing tech to make your PIN better.

Or use your keyboard: 5 lowercase letters from 26 gives about 12 million combinations. 3 times stronger than the 4 emojis.


Yes, there are some broader, valid points that raising emoji auth does help:

The worst possible PIN is no PIN at all. Getting people talking about implementing authentication on their mobile devices is a good thing.

Extending character sets for authentication is also a good point to raise, as it can massively increase password cracking time.

But you achieve similar by using local language characters. The £ (pound sterling) sign is a great example, as it only features on UK-related keyboards.

But in common use, I’ll bet we would see the same old fails with emoji PINs as with numeric PINs

1234 is a terrible PIN. Similarly choosing adjacent emojis on the keypad is also stupid.

Patterns also lead to trouble with PIN predictability, so choosing any PIN or emoji set that follows a line on the keypad or similar is bad.

There’s a great paper about predictability with Android PIN patterns

It’s easier to press large buttons on numeric keypads with your fingers. Pressing 1 of 44 small emojis accurately is rather harder than 1 of 10 large numbers!


It’s great to get people talking about authentication, but using emojis is just plain silly when we already have plenty of very usable, effective PIN/password creation options already.