Passwords Are Broken—Can 3,600 Smiley Faces Fix Them?
Hackers are coming for your passwords, be that by the use of infostealer malware, brute-force hack attacks or good old-fashioned phishing campaigns. The use of unique and strong passwords has never been more vital.
But what if we told you there's a 3,600 smiley face solution to this password problem? Yes, you read that right - emojis are being considered as the answer to making our passwords stronger. Buckle up, let's dive in and see what security professionals have to say about using emojis for passwords in 2025.
The Positives: Can Emojis Make Passwords More Secure?
According to Casey Ellis, founder of the crowdsourced cybersecurity vulnerability platform Bugcrowd, “it’s a decent idea because it increases the possible characters that attackers would need to brute force (aka the keyspace) in order to guess or crack the password.”
Mike Cleveland, a consultant at Pentest People, agrees that “one of the biggest benefits with an emoji-based password is there is a much larger character set which increases the entropy of user set passwords.” He also pointed out that attackers may not include emoji-based passwords in their attack vectors, adding to the security factor.
Cleveland's colleague, Pentest People team leader Chris Richardson, added that using emojis expands the character set beyond standard alphanumeric and special characters, making brute-force attacks more difficult. “Using emojis expands the character set beyond standard alphanumeric and special characters,” Richardson said, “which makes brute-force attacks more difficult.”
The Downside: Are Emojis Enough?
While adding emojis to your password does add complexity, it's not enough. According to Kevin Higgins, senior consultant at Optiv, a laughing emoji, a couple of love hearts and a blown kiss would equate to Unicode equivalents of 😂~💕~😘, or an additional 27 characters in your password.
However, Higgins warned that alone it does not meet the Windows account password complexity requirement. The main concern from a security standpoint is that emojis are finite and can be downloaded with ease.
The Math: Is Entropy Enough?
Ajit Hatti, founder at PureID, returns to the math but warned, “if we see the most commonly used emojis, we have limited entropy, and so not a good idea to create passwords with.”
The Reality: Emojis Are Not A Solution
Jamie Akhtar, CEO of CyberSmart, doesn't support the idea of emoji passwords at all. “Many systems do not fully support the full range of Unicode characters,” Akhtar said, with this limitation alone potentially leading to problems during login, with some emojis not displaying correctly.
The Real Issue: Passwords Are Broken
According to Akhil Mittal, senior security consulting manager at Black Duck, “every few years, a so-called ‘fix’ for passwords emerges — longer passphrases, image-based logins and now emoji passwords.” The problem is that adding more complexity doesn't necessarily make passwords more secure.
The Solution: Passkeys, Password Managers and Multi-Factor Authentication
Dray Agha, senior manager of security operations at Huntress, agreed. “Emoji-based passwords are a fun idea, but not a security game changer,” Agha said. “Better options for security benefits exist, such as passkeys, password managers and multi-factor authentication.”
The Verdict: No, Smiley Faces Can't Fix The Broken Passwords Issue
So, to answer the question posed in my article headline, and with Betteridge’s Law applying: No, smiley faces can’t fix the broken passwords issue. What on earth were you thinking?