Takeaways
There is no evidence emoji passwords outperform comp8 passwords on any measurement;
Emoji password security seems overall poor.
The data we got
The green represents a group and measurement combination for which there was a statistically significant correlation, and for which it was only true for the emoji-password group. BLUE represents a group and measurement combination for which there was a statistically significant effect, but it wasn’t unique to the emoji-password group; RED represents a group and measurement combination for which there was no statistically significant correlation.
Survey Results
Users enjoyed their password schema less with emoji passwords than comp8 passwords;
Users who created their passwords on a phone reported more ease in remembering their emoji passwords when entering them;
Users from higher class years were less annoyed creating emoji passwords;
Users who used emojis more were less annoyed creating emoji passwords ;
Users who used more emojis enjoyed their emoji password schema more than users who used fewer emojis.
Entropy Analysis
Since many used “Smileys and Emotions” emojis exclusively, we calculate entropy based on either the total emoji alphabet size (3633), or only the “Smileys and Emotions” alphabet size (163) if every emoji is from that group.
Moreover, we found combo passwords present, which are comp8-compliant passwords that includes an emoji. While conventional comp8 entropy calculations are based on number, letter, and symbols only, we separate out the combo passwords and use the emoji + comp8 alphabet size to calculate entropy.
We got:
Therefore, we see that emoji passwords yield less entropy than comp8 passwords, while combo passwords have the highest entropy. We also measured entropy of passwords created on different devices:
Creation Strategies
How do people come up with their emoji passwords? From free-form survey responses we got:
As for comp8:
Discussion
There is no evidence emoji passwords outperform comp8 passwords on any measurement. In fact, there is evidence that they are worse in terms of security and enjoyment. This result may be partially due to sample sizes; dropout rate for emoji password users was higher than comp8 password users, so our final sample size was very small for emoji passwords (25).
Emoji password security seems overall poor. Fewer different password generation strategies than comp8 password,
including “frequently used emojis” which are very easy to guess with physical access to the user's device. Moreover, emoji passwords have lower overall entropy than comp8 passwords, making them easier to crack.
However, data on “combo” passwords looks promising - embedding an emoji in a comp8 password, or requiring a diversity of emoji types could be promising future research
Statistically, P-values are high for the number of tests we ran. If there were no real correlations between any data, with the number of tests we ran, we would expect 3 (false) positives, and we found 5 positives, with only 3 being unique to emoji passwords! Overall, we were being very careful about assuming data significance.
Hypothesis Tested
H1: Usability of emoji passwords will be higher for those that used the same type of device across both surveys than those who used different devices
No - Only 5 respondents used different devices, so not enough info!
H2: Usability will be higher on mobile devices than on the desktop
Mostly no - only for self-reported ease of recall
H3: The breadth of emojis used (i.e. entropy) is likely to be larger on a desktop device than if a mobile phone were used for emoji password creation
No - we found that entropy was higher on mobile phones than desktop!
H4: STEM students will create more usable passwords than students in other areas of interest
No - no statistically significant difference
H5: Students who use emojis more frequently will create more usable emoji-based passwords than those who only use emojis rarely.
Mostly no - only for self-reported enjoyment and annoyance
H6: Students who were tasked with making an emoji password are more likely to use strategies such as “convenience of placement” and “telling a story”, while comp8 passwords will be more likely to use common names and familiar words.
Yes - very many emoji passwords fit this scheme, though comp8 passwords were more varied
