global password strategies

Jonathan Rosenne jr at qsm.co.il
Tue Apr 12 11:59:24 CDT 2022


Designing password strategies is a science and expertise in itself. It is not easy. I am involved in implementing such designs but not in the design.

The emoji suggestion does not meet the NIST recommendations at least in the following points:


  *   An emoji is a character just as A, B or C. 8 emojis are 8 characters, which is too short. It is strange that I would feel the need to say so in this forum.
  *   It would be difficult to remember a long non trivial sequence of emojis. The recommendation is a phrase. My personal preference is a long phrase I can easily remember into which I introduce an error in order to baffle dictionary attacks. For example: “Lorem ipsum dolor sit amet, consequetur adipiscing elit”
  *   NIST recommends allowing and using the whole range of Unicode rather than any subset.

Best Regards,

Jonathan Rosenne

From: Unicode <unicode-bounces at corp.unicode.org> On Behalf Of William_J_G Overington via Unicode
Sent: Monday, April 11, 2022 10:34 PM
To: unicode at corp.unicode.org
Subject: RE: global password strategies

Tex wrote:

> There are many problems that having a standard would resolve.

Yes.

> Simply stating an incomplete idea and then expecting Unicode Consortium or any other standards body to implement it is an arrogant and unreasonable proposition.

Well, I never wrote that I expected anything.

I wrote "So I am hoping ...", I simply put forward what seems to me a good idea that could be very useful in some circumstances,

> To become a standard the idea has to have support from many communities, and it has to be a fit for the organization’s responsibilities.

If Unicode Inc. were to specify a specific choice of 64 emoji set out in an 8 by 8 array, then it would be a de facto standard which people could use or not use as they chose, with no concern that the specific layout were proprietary and that someone or some organization might come along later and request royalties for using that particular layout.

> It isn’t clear emoji are needed or optimal for this purpose, compared to just using shapes (triangle up, triangle down, etc.) or for that matter that any images are needed, since it could be select row3 column 4.



I am not suggesting emoji to the exclusion of other possibilities. For me, using emoji has the advantage that the pictures are mostly of everyday things, so someone would possibly or even probably know for each picture the word to describe the picture in the language that he or she uses.

> Ultimately, the password this generates does not need Unicode since the output reduces to a series of row and column pairs. (Which is why this is just an interface.)

Well, I was not thinking of the output being a series of row and column pairs, I have, and am, thinking of the output being a sequence of Unicode characters, the 8 by 8 array of emoji being just as a way for an end user to enter a sequence of Unicode characters as if an end user enters a sequence of Unicode characters as a password in a text box. Indeed perhaps there could be a text box like display below the 8 by 8 array and as the emoji are clicked the text box fills up, either with dots or an emoji display, depending whether the text box is in Hide mode or Show mode.

The 8 by 8 array method of password entry would just work in parallel with the conventional text box method of password entry.

It is sort of like how a built in keyboard on a laptop computer can work in parallel with an external keyboard.

> So if you think this should be a standard, establish the requirements for password entry, show that the proposal satisfies the requirements, find communities that agree and support the idea, and find a standards body that will make it a standard.

Well, I opine that it could be helpful in some circumstances if a particular layout of 64 emoji in an 8 by 8 array so as to facilitate password entry in a manner not linked to any particular script or an particular language were to become published by Unicode Inc. as an app developer would have a list available to use if so desired and if various producers of apps were to use the same particular layout that that could be helpful to end users.

What I am suggesting is just a simple sort of gadget to metaphorically bolt on to an existing password entry system to give the existing method an extra way for an end user to set up a password and to enter a previously set up password.

> You have not acknowledged the requirements for password entry (see the NIST document).

Well, I did to the extent in that I mentioned a minimum of eight characters in a password.

This method of entry would produce the possibility of 64 times 63 to the power of 7 possible passwords for eight character passwords alone. For longer passwords there would be many more possibilities.

I have put forward an idea that I opine could be very useful in some circumstances. I hope that it gets implemented. Although I could publish a particular suggested layout of 64 emoji in an 8 by 8 array myself, I consider that such a layout may never be taken up by app producers, yet if a suggested layout of 64 emoji in an 8 by 8 array were published by Unicode Inc. then it might well be taken up by many app producers and be of practical benefit to some end users.

William Overington

Monday 11 April 2022




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://corp.unicode.org/pipermail/unicode/attachments/20220412/41e664db/attachment.htm>


More information about the Unicode mailing list