<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Arial",sans-serif;
color:#1F497D;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:580336921;
mso-list-type:hybrid;
mso-list-template-ids:-31024700 -948916674 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Arial",sans-serif;
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Arial",sans-serif;color:#1F497D">Designing password strategies is a science and expertise in itself. It is not easy. I am involved in implementing such designs but not in the design.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Arial",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Arial",sans-serif;color:#1F497D">The emoji suggestion does not meet the NIST recommendations at least in the following points:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Arial",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l0 level1 lfo1">
<span style="font-size:14.0pt;font-family:"Arial",sans-serif">An emoji is a character just as A, B or C. 8 emojis are 8 characters, which is too short. It is strange that I would feel the need to say so in this forum.<o:p></o:p></span></li><li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l0 level1 lfo1">
<span style="font-size:14.0pt;font-family:"Arial",sans-serif">It would be difficult to remember a long non trivial sequence of emojis. The recommendation is a phrase. My personal preference is a long phrase I can easily remember into which I introduce an error
in order to baffle dictionary attacks. For example: “Lorem ipsum dolor sit amet, consequetur adipiscing elit”<o:p></o:p></span></li><li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l0 level1 lfo1">
<span style="font-size:14.0pt;font-family:"Arial",sans-serif">NIST recommends allowing and using the whole range of Unicode rather than any subset.<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Arial",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Arial",sans-serif;color:#1F497D">Best Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Arial",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Arial",sans-serif;color:#1F497D">Jonathan Rosenne</span><span style="font-size:14.0pt;color:#1F497D"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Arial",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Unicode <unicode-bounces@corp.unicode.org> <b>On Behalf Of
</b>William_J_G Overington via Unicode<br>
<b>Sent:</b> Monday, April 11, 2022 10:34 PM<br>
<b>To:</b> unicode@corp.unicode.org<br>
<b>Subject:</b> RE: global password strategies<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Tex wrote:<o:p></o:p></p>
<div>
<p>> There are many problems that having a standard would resolve.<o:p></o:p></p>
<p>Yes.<o:p></o:p></p>
<p>> Simply stating an incomplete idea and then expecting Unicode Consortium or any other standards body to implement it is an arrogant and unreasonable proposition.<o:p></o:p></p>
<p>Well, I never wrote that I expected anything.<o:p></o:p></p>
<p>I wrote "So I am hoping ...", I simply put forward what seems to me a good idea that could be very useful in some circumstances,<o:p></o:p></p>
<p>> <span style="color:#002060">To become a standard the idea has to have support from many communities, and it has to be a fit for the organization’s responsibilities.</span><o:p></o:p></p>
<p><span style="color:#002060">If Unicode Inc. were to specify a specific choice of 64 emoji set out in an 8 by 8 array, then it would be a de facto standard which people could use or not use as they chose, with no concern that the specific layout were proprietary
and that someone or some organization might come along later and request royalties for using that particular layout.</span><o:p></o:p></p>
<p>> <span style="color:#002060">It isn’t clear emoji are needed or optimal for this purpose, compared to just using shapes (triangle up, triangle down, etc.) or for that matter that any images are needed, since it could be select row3 column 4.</span><o:p></o:p></p>
<p><span style="color:#002060"><br>
<br>
</span><o:p></o:p></p>
<p><span style="color:#002060">I am not suggesting emoji to the exclusion of other possibilities. For me, using emoji has the advantage that the pictures are mostly of everyday things, so someone would possibly or even probably know for each picture the word
to describe the picture in the language that he or she uses.</span><o:p></o:p></p>
<p>> <span style="color:#002060">Ultimately, the password this generates does not need Unicode since the output reduces to a series of row and column pairs. (Which is why this is just an interface.)</span><o:p></o:p></p>
<p>Well, I was not thinking of the output being a series of row and column pairs, I have, and am, thinking of the output being a sequence of Unicode characters, the 8 by 8 array of emoji being just as a way for an end user to enter a sequence of Unicode characters
as if an end user enters a sequence of Unicode characters as a password in a text box. Indeed perhaps there could be a text box like display below the 8 by 8 array and as the emoji are clicked the text box fills up, either with dots or an emoji display, depending
whether the text box is in Hide mode or Show mode. <o:p></o:p></p>
<p>The 8 by 8 array method of password entry would just work in parallel with the conventional text box method of password entry.<o:p></o:p></p>
<p><span style="color:#002060">It is sort of like how a built in keyboard on a laptop computer can work in parallel with an external keyboard.</span><o:p></o:p></p>
<p>> <span style="color:#002060">So if you think this should be a standard, establish the requirements for password entry, show that the proposal satisfies the requirements, find communities that agree and support the idea, and find a standards body that will
make it a standard.</span><o:p></o:p></p>
<p>Well, I opine that it could be helpful in some circumstances if a particular layout of 64 emoji in an 8 by 8 array so as to facilitate password entry in a manner not linked to any particular script or an particular language were to become published by Unicode
Inc. as an app developer would have a list available to use if so desired and if various producers of apps were to use the same particular layout that that could be helpful to end users.<o:p></o:p></p>
<p>What I am suggesting is just a simple sort of gadget to metaphorically bolt on to an existing password entry system to give the existing method an extra way for an end user to set up a password and to enter a previously set up password.<o:p></o:p></p>
<p>> <span style="color:#002060">You have not acknowledged the requirements for password entry (see the NIST document).</span><o:p></o:p></p>
<p><span style="color:#002060">Well, I did to the extent in that I mentioned a minimum of eight characters in a password.</span><o:p></o:p></p>
<p><span style="color:#002060">This method of entry would produce the possibility of 64 times 63 to the power of 7 possible passwords for eight character passwords alone. For longer passwords there would be many more possibilities.</span><o:p></o:p></p>
<p><span style="color:#002060">I have put forward an idea that I opine could be very useful in some circumstances. I hope that it gets implemented. Although I could publish a particular suggested layout of 64 emoji in an 8 by 8 array myself, I consider that
such a layout may never be taken up by app producers, yet if a suggested layout of 64 emoji in an 8 by 8 array were published by Unicode Inc. then it might well be taken up by many app producers and be of practical benefit to some end users.</span><o:p></o:p></p>
<p>William Overington<o:p></o:p></p>
<p>Monday 11 April 2022<o:p></o:p></p>
<p><o:p> </o:p></p>
<p><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>