<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 4/12/2022 9:59 AM, Jonathan Rosenne
via Unicode wrote:<br>
</div>
<blockquote type="cite"
cite="mid:AS8PR10MB4760BD89FB2F0C532CADF9D184ED9@AS8PR10MB4760.EURPRD10.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Arial",sans-serif;
color:#1F497D;
font-weight:normal;
font-style:normal;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Arial",sans-serif;color:#1F497D">Designing
password strategies is a science and expertise in itself. It
is not easy. I am involved in implementing such designs but
not in the design.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Arial",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Arial",sans-serif;color:#1F497D">The
emoji suggestion does not meet the NIST recommendations at
least in the following points:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Arial",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="color:#1F497D;margin-left:0in;mso-list:l0 level1
lfo1">
<span
style="font-size:14.0pt;font-family:"Arial",sans-serif">An
emoji is a character just as A, B or C. 8 emojis are 8
characters, which is too short. It is strange that I would
feel the need to say so in this forum.</span></li>
</ul>
</div>
</blockquote>
Many emoji are encoded as extended sequences of characters.<br>
<blockquote type="cite"
cite="mid:AS8PR10MB4760BD89FB2F0C532CADF9D184ED9@AS8PR10MB4760.EURPRD10.PROD.OUTLOOK.COM">
<div class="WordSection1">
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="color:#1F497D;margin-left:0in;mso-list:l0 level1
lfo1"><span
style="font-size:14.0pt;font-family:"Arial",sans-serif"><o:p></o:p></span><br>
</li>
<li class="MsoListParagraph"
style="color:#1F497D;margin-left:0in;mso-list:l0 level1
lfo1">
<span
style="font-size:14.0pt;font-family:"Arial",sans-serif">It
would be difficult to remember a long non trivial sequence
of emojis. </span></li>
</ul>
</div>
</blockquote>
From a usability perspective, with emoji presentation not actually
specified, it may be difficult to verify that a password is
accurately entered.<br>
<blockquote type="cite"
cite="mid:AS8PR10MB4760BD89FB2F0C532CADF9D184ED9@AS8PR10MB4760.EURPRD10.PROD.OUTLOOK.COM">
<div class="WordSection1">
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="color:#1F497D;margin-left:0in;mso-list:l0 level1
lfo1"><span
style="font-size:14.0pt;font-family:"Arial",sans-serif">The
recommendation is a phrase. My personal preference is a
long phrase I can easily remember into which I introduce
an error in order to baffle dictionary attacks. For
example: “Lorem ipsum dolor sit amet, consequetur
adipiscing elit”<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="color:#1F497D;margin-left:0in;mso-list:l0 level1
lfo1">
<span
style="font-size:14.0pt;font-family:"Arial",sans-serif">NIST
recommends allowing and using the whole range of Unicode
rather than any subset.</span></li>
</ul>
</div>
</blockquote>
<p>This may work if you never shift devices. Otherwise you may find
yourself locked out by not being able to enter a password from
another device. (Or even from a future upgrade of yoru device).<br>
</p>
<blockquote type="cite"
cite="mid:AS8PR10MB4760BD89FB2F0C532CADF9D184ED9@AS8PR10MB4760.EURPRD10.PROD.OUTLOOK.COM">
<div class="WordSection1">
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="color:#1F497D;margin-left:0in;mso-list:l0 level1
lfo1"><span
style="font-size:14.0pt;font-family:"Arial",sans-serif"><o:p></o:p></span></li>
</ul>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Arial",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Arial",sans-serif;color:#1F497D">Best
Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Arial",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Arial",sans-serif;color:#1F497D">Jonathan
Rosenne</span><span style="font-size:14.0pt;color:#1F497D"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Arial",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>F</b></p>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>