How Emoji Passwords Work and Why They're a Game-Changer for Account Security

There are some passwords you just want to keep close. It could be that you don't have access to a secure password manager or need them for sites you access from multiple devices at a time. Whatever your reason, you still need a password that is both secure and easy to remember. 🔐

So, you know all the tricks: symbols, numbers, varied capitalization, and spacing. But there might be one other way to make your passwords less likely to be guessed or susceptible to brute-force attacks — emoji. 🤫

How emoji passwords work

Emoji are represented as Unicode characters, meaning they are not stored as images but as unique code points. For example, 😂, the cry-laughing emoji, is assigned the Unicode code point U+1F602. This standardized encoding allows emoji to be sent and displayed across different devices and platforms, such as from an iPhone to an Android tablet to a Windows computer. However, the visual appearance of an emoji may vary depending on the operating system, font, or app displaying it.

👉 Unicode character counting variations

When used in a password, how an emoji is counted depends on the website's encoding system:

• Some sites count each emoji as a single character (likely treating them as a single Unicode code point).

• Others, like ChatGPT and Facebook, count each emoji as two characters, suggesting they may be using UTF-16 code unit counting, where some emoji require two 16-bit code units.

• If an emoji includes extra variations, such as skin tones or zero-width joiner (ZWJ) sequences, the character count may increase because these variations are composed of multiple Unicode code points combined into a single visible emoji.

• If a device or operating system doesn't support an emoji — especially newer ones like 🫩 (Face with Bags Under Eyes) — it may appear as a blank square (□), an X in a box (☒), a question mark (� or ⍰), or other placeholder symbols. However, the emoji remains usable in passwords, even if it doesn't display correctly.

Here are a few examples to help illustrate those points:

• 👨🏽‍💻 (Man Technologist: Medium Skin Tone): This emoji consists of multiple Unicode code points, including U+1F468 (Man 👨), U+1F3FD (Medium Skin Tone 🏽), U+200D (Zero-Width Joiner), and U+1F4BB (Personal Computer 💻). This means the emoji counts as four characters, which is longer than a standard emoji in terms of encoded length. For sites and apps that use UTF-16 code points, this emoji increases to seven characters total by itself since U+1F468 (Man 👨), U+1F3FD (Medium Skin Tone 🏽), and U+1F4BB (Personal Computer 💻) all count as two characters each.

• 👨‍👩‍👧‍👦 (Family: Man, Woman, Girl, Boy): This emoji is actually seven Unicode code points, even though it appears as a single character. It consists of U+1F468 (Man 👨), U+200D (Zero-Width Joiner), U+1F469 (Woman 👩), U+200D (Zero-Width Joiner), U+1F467 (Girl 👧), U+200D (Zero-Width Joiner), and U+1F466 (Boy 👦). For sites and apps that use UTF-16 code points, this emoji increases to 11 characters in total since each code point except for U+200D (Zero-Width Joiner) counts as two characters each.

Since different platforms handle emoji passwords differently, there is no universal rule for how many "characters" an emoji contributes to a password. Not all websites process emoji passwords in the same way:

• Most websites store passwords as hashed values, meaning the exact emoji sequence you enter must match what was stored.

• Some platforms count emoji as one character (likely treating them as single Unicode code points), while others count them as two (likely using UTF-16 code units).

• Some websites may normalize passwords by converting emoji into a different encoding (e.g., UTF-8, UTF-32, or Punycode) before hashing.

• A few platforms might store passwords exactly as typed, meaning an emoji could be handled as a raw character input rather than being translated into Unicode — but this is rare and less secure.

• Some websites may reject emoji entirely, either due to technical limitations or to avoid potential security risks.

Because of these differences, checking whether a specific website supports emoji in passwords is important before relying on them for login security. For example, OpenAI accepts all-emoji passwords and requires at least 12 characters. But since it uses UTF-16 code points, you can effectively surpass that 12-character minimum with just a few emoji (not that it's a wise idea to do so). Other sites may require you to provide letters and numbers on top of the minimum character requirement, and emoji may or may not count against a special character requirement.

Where you can use emoji in passwords

While there is no universal support for emoji characters in passwords across apps and services, you'd be surprised how many will let you use them when creating or changing a password. However, you will run into issues on certain devices.

It's much easier to add emoji to passwords on a computer since many apps and websites will hide the emoji keyboard when creating or entering passwords on iPhones and Android smartphones. This is where password managers like iCloud Passwords & Keychain, LastPass, 1Password, Dashlane, and so on come in handy. You can create emoji-filled passwords in your password manager, then copy them over to an app or site when creating an account or updating your credentials. Then, simply use the auto-fill feature on your device to fill the emojified password into password fields when logging in.

Popular sites and apps that accept emoji passwords

We've tested a few popular apps and websites, and here's what we found. Keep in mind that these apps and services may seem like they don't support emoji in passwords when on a mobile device since your emoji keyboard may be automatically hidden. Don't be deterred — they still may allow them.

Accepts emoji in passwords

• Amazon

• Ask Ubuntu

• Canva

• Dropbox

• eBay

• Facebook

• MathOverflow

• OpenAI (ChatGPT)

• Quora

• Reddit

• Server Fault

• Spotify

• Stack Apps

• Stack Exchange

• Stack Overflow

• Super User

• X (formerly Twitter)

Does not accept emoji in passwords yet

• Google (Gmail, YouTube, etc.)

• Instagram

• iPad/iPhone passcode

• TikTok

Keep in mind that websites frequently update their password policies. What works today may not work in the future, so always test emoji passwords before committing to them on an important account.

Why use emojis as passwords?

So, what's the point of even using emoji in your password? Well, your passwords can be even stronger and more challenging to hack.

Passwords are only as strong as the effort it takes to crack them. Attackers use automated tools to systematically guess passwords, leveraging databases of leaked credentials and common patterns. Incorporating emoji expands the number of possible characters in your password, significantly increasing entropy. This added complexity makes brute-force attacks less effective since they rely on common character sets used in most passwords.

Adding emoji to passwords dramatically increases the number of possible character combinations. Since most password-cracking tools are optimized for standard letters, numbers, and symbols, an emoji-inclusive password could significantly slow down or even bypass certain automated attack methods.

And emoji-based passwords are far less vulnerable to dictionary attacks. Most brute-force tools rely on massive lists of commonly used words, phrases, and predictable substitutions (e.g., "p@ssw0rd" for "password"). Since emoji are rarely included in these databases, adding them to passwords introduces an extra layer of randomness that automated attacks struggle to process.

One of the main reasons many apps and sites ask you to use special characters and numbers in your passwords is that there's only so much complexity you can come up with in 26 letters.

As of iOS 18.3, there are about 3,800 available emoji, not counting gender and skin tone variants, and they're still being updated occasionally. iPhone users got 118 new emoji when iOS 17.4 dropped, and at least 8 are coming with iOS 18.4.

Additionally, emoji are a great way to make a relatively strong password that's easier to remember. After all, there are some passwords you want to keep close, especially ones you use for accounts you need access to at all times. Instead of trying to remember a slew of random letters and the occasional backward slash, a string of emoji telling a story (or a song lyric!) might be the better option.

Tips on using emojis in passwords

While using emoji in passwords does have some merit in account security, that doesn't mean they're the end-all-be-all. Here are some of the best ways to incorporate them:

• Avoid predictable emoji sequences: Using emoji in a logical order (e.g., ⭐⭐⭐ for "starstarstar") makes your password easier to guess. Hackers can recognize common themes like 🍕🍔🌭 (food), 😂🤣😭 (reactions), or 🏀⚽🏈 (sports) just as easily as they do weak passwords like "password123" or "qwerty." Instead, choose a mix of unrelated emoji that only make sense to you. Try associating emoji with a personal story or memory — this makes them harder for attackers to guess while remaining easy for you to recall.

• Consider using a password manager: As mentioned above, given the challenges of entering emoji passwords manually, especially on mobile phones, a password manager can help securely store and autofill your credentials.

• Use them in mixed passwords: Avoid relying solely on emoji. Instead, use them as part of a complex password that includes a mix of uppercase and lowercase letters, numbers, and special characters. For example, "🚀T0_the🌙!" is much stronger than using only emoji.

• Make sure emoji-based passwords are memorable: A password that's difficult to enter or remember is not necessarily more secure if you write it down or reset it frequently. For example, you can try adding emoji into three-random-word passwords — they're easier to remember, but now you get to add some extra security measures.

• Be mindful of input limitations: Some devices and websites may restrict emoji input. Always verify that a platform supports emoji before committing to an emoji-based password.

• Test emoji compatibility across devices: Before committing to an emoji password, test it on all the devices you use. Some keyboards or operating systems may not support certain emoji, potentially locking you out. Always ensure that the emoji displays correctly and can be reliably entered across all platforms.

Also, make sure to use emoji passwords alongside other security measures. Always follow your usual security best practices, like two-factor authentication, not opening unwarranted email attachments, updating passwords regularly, not using the same password across sites, etc. In the same way that one very strong password isn't an all-in-one fail-safe, just using emoji in your passwords won't be enough to protect you from all cyberthreats.

Don't Miss: Diceware Gives You Truly Random Yet Easy-to-Memorize Passwords

Cover photo and Screenshots by Gadget Hacks.