Security Expert: Emoji Passwords Are A Bad Idea for Banks

British firm's new system is shortsighted

Security expert Erik Cabetas says that if you don't want one of these guys hacking your bank account, don't use emoji as your password. (Photo: Erik Cabetas)
Security expert Erik Cabetas says that if you don’t want one of these guys hacking your bank account, don’t use emoji as your password. (Photo: Erik Cabetas)

British financial services firm Intelligent Environments caused a stir last week when it announced that it would let its customers use emoji passcodes to log into their accounts. The company launched the system after their study found that emoji passwords are both simpler and more secure than numbered ones. IE says their research shows that a third of Britons have forgotten their bank PIN numbers in the past, and one in four use the same password for all their accounts—it would in theory be easier to remember different combinations of emoji.

Sign Up For Our Daily Newsletter

By clicking submit, you agree to our <a href="http://observermedia.com/terms">terms of service</a> and acknowledge we may use your information to send you emails, product samples, and promotions on this website and other properties. You can opt out anytime.

See all of our newsletters

The conventional 10-digit number code is also vulnerable to security threats— it only allows for 7,290 possible combinations. But IE’s emoji passwords, which make users choose four emoji out of a possible 44, allow for 3,498,308 unique permutations.

IE’s system is tailored to the changing tastes of twentysomethings—64 percent of them routinely use emoji, according to Tech Times.

“If anything, it’s a marketing move catered to millennials,” Erik Cabetas, managing partner at Include Security, a Brooklyn consulting firm, told the Observer in an email.

British bank Intelligent Environments has replaced number passwords with emoji, but the system is not as secure as the bank claims.
British bank Intelligent Environments has replaced number passwords with emoji, but the system is not as secure as the bank claims.

Mr. Cabetas outlined several other reasons why U.S. banks should not start converting their 360,000 ATMs to emoji just yet. There are three main issues with the system:

  • You can guard a PIN number from view when entering it into a physical ATM, but if you’re selecting emojis from a touch screen then that isn’t as easy.
  • With a PIN number you can verify over the phone.
  • Both emoji and PIN numbers will fall into the same pattern of use—”1234″ will become “top row of emojis left to right.”

While Mr. Cabetas admitted that an emoji system would provide more options, he said that did not mean that the system was more secure.

“It does have a bit more entropy than the current standard, but I don’t think switching to an emoji based system adds that much more to the security of the system,” Mr. Cabetas said.
Mr. Cabetas concluded that an emoji system in itself would not be enough to authenticate a bank account.
“It’s fine for replacing a PIN number, but it’s not fine for replacing a password,” Mr. Cabetas said. ” If it’s one factor in a multi-factor authentication system, then that’s OK. If it’s the only factor in authentication, then that’s not OK.”
So it looks like a smiley face won’t be replacing your mom’s birthday as a password anytime soon.

Security Expert: Emoji Passwords Are A Bad Idea for Banks