Because it keeps coming up, how about a thread on Emoji in passwords. So we (and you) can link to it in the future.

Should they be allowed? For all practical purposes they can& #39;t not be. So, yes.

Should they be heavily warned against? Yes.

But why? Well...

First off, there are a lot of bad password policies out there. Mostly by services that probably store your password as plain text. The recent NIST recommendations suggest allowing Unicode, but normalized. https://pages.nist.gov/800-63-3/sp800-63b.html

This">https://pages.nist.gov/800-63-3/... would normalize e + ¨ to ë, for example...

But there is no Emoji normalization:

Same emoji, on different platforms:
https://abs.twimg.com/emoji/v2/... draggable="false" alt="1⃣" title="Keycap digit one" aria-label="Emoji: Keycap digit one"> 31-20e3 DIGIT ONE + COMBINING ENCLOSING KEYCAP
vs
https://abs.twimg.com/emoji/v2/... draggable="false" alt="1️⃣" title="Keycap digit one" aria-label="Emoji: Keycap digit one"> 31-fe0f-20e3 DIGIT ONE + COMBINING ENCLOSING KEYCAP

https://abs.twimg.com/emoji/v2/... draggable="false" alt="👁‍🗨" title="Eye in speech bubble" aria-label="Emoji: Eye in speech bubble"> 1f441-200d-1f5e8 EYE IN SPEECH BUBBLE
vs
https://abs.twimg.com/emoji/v2/... draggable="false" alt="👁️" title="Eye" aria-label="Emoji: Eye">‍https://abs.twimg.com/emoji/v2/... draggable="false" alt="🗨️" title="Left speech bubble" aria-label="Emoji: Left speech bubble"> 1f441-fe0f-200d-1f5e8-fe0f EYE IN SPEECH BUBBLE

Also, there are overlapping variant forms, that vary by vendor and version.

™ 2122 (default text)
™︎ 2122-FE0E (force text)
https://abs.twimg.com/emoji/v2/... draggable="false" alt="™️" title="Trade mark sign" aria-label="Emoji: Trade mark sign"> 2122-FE0F (force emoji)

https://abs.twimg.com/emoji/v2/... draggable="false" alt="🕴" title="Person in business suit levitating" aria-label="Emoji: Person in business suit levitating"> 1f574 (default emoji)
🕴︎ 1f574-FE0E (force text)
https://abs.twimg.com/emoji/v2/... draggable="false" alt="🕴️" title="Person in business suit levitating" aria-label="Emoji: Person in business suit levitating"> 1f574-FE0F (force emoji)

And the emoji definitions can change at any time (like the Emoji 12.1 rushed release this quarter).

And some vendors just do whatever they want.

Emoji only on Windows: https://abs.twimg.com/emoji/v2/... draggable="false" alt="🐱" title="Cat face" aria-label="Emoji: Cat face">https://abs.twimg.com/emoji/v2/... draggable="false" alt="👤" title="Bust in silhouette" aria-label="Emoji: Bust in silhouette">, 🖔

Emoji only on Samsung: ⚀⚁⚂⚃⚄⚅

"Emoji" are effectively impossible to disallow specifically.

It gets worse. Emoji have been removed. If you input https://abs.twimg.com/emoji/v2/... draggable="false" alt="🤝" title="Handshake" aria-label="Emoji: Handshake">https://abs.twimg.com/emoji/v2/... draggable="false" alt="🏽" title="(medium skin tone)" aria-label="Emoji: (medium skin tone)"> in a password, and then get a new phone, you no longer have it on your keyboard.

Multi-person skin tones removed from RGI:

https://emojipedia.org/wrestlers-type-3/
https://emojipedia.org/wrestlers... href=" https://emojipedia.org/handshake-type-3/

https://emojipedia.org/handshake... href=" http://unicode.org/Public/emoji/3.0/emoji-sequences.txt
https://unicode.org/Public/em... href=" http://unicode.org/Public/emoji/4.0/emoji-sequences.txt">https://unicode.org/Public/em...

https://abs.twimg.com/emoji/v2/... draggable="false" alt="🏽" title="(medium skin tone)" aria-label="Emoji: (medium skin tone)"> in a password, and then get a new phone, you no longer have it on your keyboard.Multi-person skin tones removed from RGI: https://emojipedia.org/wrestlers... href=" https://emojipedia.org/handshake-type-3/" title="It gets worse. Emoji have been removed. If you input https://abs.twimg.com/emoji/v2/... draggable="false" alt="🤝" title="Handshake" aria-label="Emoji: Handshake">https://abs.twimg.com/emoji/v2/... draggable="false" alt="🏽" title="(medium skin tone)" aria-label="Emoji: (medium skin tone)"> in a password, and then get a new phone, you no longer have it on your keyboard.Multi-person skin tones removed from RGI: https://emojipedia.org/wrestlers... href=" https://emojipedia.org/handshake-type-3/" class="img-responsive" style="max-width:100%;"/>

Also, general to all Unicode (kaomoji for example), your input method may vary depending on situation: https://apple.stackexchange.com/questions/202143/i-included-emoji-in-my-password-and-now-i-cant-log-in-to-my-account-on-yosemite">https://apple.stackexchange.com/questions...

Another fun one. "https://abs.twimg.com/emoji/v2/... draggable="false" alt="🤷" title="Person shrugging" aria-label="Emoji: Person shrugging"> 1f937 SHRUG" was a female on practically all platforms until last week. https://emojipedia.org/shrug/ 

Going">https://emojipedia.org/shrug/&qu... forward, it will be gender neutral. To get the female variant you have to use:

https://abs.twimg.com/emoji/v2/... draggable="false" alt="🤷‍♀️" title="Woman shrugging" aria-label="Emoji: Woman shrugging"> 1f937-200d-2640-fe0f WOMAN SHRUGGING

You can& #39;t just throw that at NFKD

To summarize:

The same emoji on different devices varies in the codepoints used.

The same emoji on the /same/ device, over time, varies in the codepoints used.

What even is an emoji??? The server just sees codepoints.

Allow them? Yes

WARN against them? Probably. ¯\_(ツ)_/¯

For some actual constructive advice, maybe something like roughly detecting emoji with the current data files [ http://unicode.org/Public/emoji/latest/]">https://unicode.org/Public/em... or with a maintained regex [ https://github.com/mathiasbynens/emoji-regex],">https://github.com/mathiasby... and update as needed.

Obviously useless for blocking emoji for the reasons stated. But

Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords: https://tools.ietf.org/html/rfc8265 ">https://tools.ietf.org/html/rfc8... [via @ezzatron]. Tldr: NFC, fold spaces, forbid PUA.

Also see the Stability Policy (pretty useless for Emoji though).
https://unicode.org/policies/stability_policy.html">https://unicode.org/policies/...

There are assumptions about Unicode you can make, that will never change, per the Stability Policy. Like the Private Use Area ranges.

But there are some things you can& #39;t take for granted.

Mongolian Vowel Separator has changed category twice.

Control > Space Separator > Control

Hmm, a discrepancy.

NIST [ https://pages.nist.gov/800-63-3/sp800-63b.html]">https://pages.nist.gov/800-63-3/... says: the verifier SHOULD apply the Normalization ... using either the NFKC or NFKD

IETF [ https://tools.ietf.org/html/rfc8265 ]">https://tools.ietf.org/html/rfc8... says:
4. Passwords > 4.2.2. Enforcement > Unicode Normalization Form C (NFC) MUST be applied to all strings.

https://abs.twimg.com/emoji/v2/... draggable="false" alt="🤯" title="Exploding head" aria-label="Emoji: Exploding head">

Need more reasons to avoid emoji passwords? Random old Android phone. Swiftkey enters password mode on <input type="password">, but still allows emoji input.

Using a never-before used Emoji results in it being saved in the recently/frequently used list.

What does your phone do?

Addendum: Let& #39;s enumerate why flag emoji are spooky in passwords.

1. Flags are Regional Indicator Symbol pairs [ https://en.wikipedia.org/wiki/Regional_Indicator_Symbol],">https://en.wikipedia.org/wiki/Regi... referencing ISO 3166-1 alpha 2 [ https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2].">https://en.wikipedia.org/wiki/ISO_... Countries may later disappear if the United Nations decides they aren& #39;t countries.

2. Some are very similar:

https://abs.twimg.com/emoji/v2/... draggable="false" alt="🇷🇴" title="Flag of Romania" aria-label="Emoji: Flag of Romania"> ROMANIA
https://abs.twimg.com/emoji/v2/... draggable="false" alt="🇹🇩" title="Flag of Chad" aria-label="Emoji: Flag of Chad"> CHAD

https://abs.twimg.com/emoji/v2/... draggable="false" alt="🇮🇩" title="Flag of Indonesia" aria-label="Emoji: Flag of Indonesia"> INDONESIA
https://abs.twimg.com/emoji/v2/... draggable="false" alt="🇲🇨" title="Flag of Monaco" aria-label="Emoji: Flag of Monaco"> MONACO

2a. Some are canonically identical:

https://abs.twimg.com/emoji/v2/... draggable="false" alt="🇺🇸" title="Flag of United States" aria-label="Emoji: Flag of United States"> UNITED STATES
https://abs.twimg.com/emoji/v2/... draggable="false" alt="🇺🇲" title="Flag of U.S. Outlying Islands" aria-label="Emoji: Flag of U.S. Outlying Islands"> US MINOR OUTLYING ISLANDS

https://abs.twimg.com/emoji/v2/... draggable="false" alt="🇫🇷" title="Flag of France" aria-label="Emoji: Flag of France"> FRANCE
https://abs.twimg.com/emoji/v2/... draggable="false" alt="🇲🇫" title="Flag of St. Martin" aria-label="Emoji: Flag of St. Martin"> SAINT MARTIN
https://abs.twimg.com/emoji/v2/... draggable="false" alt="🇨🇵" title="Flag of Clipperton Island" aria-label="Emoji: Flag of Clipperton Island"> CLIPPERTON ISLAND

And most emoji pickers won& #39;t tell you which is which, unless you search them.

3. Flags can disappear regionally. Most phones in mainland China will not show the Taiwan flag:https://abs.twimg.com/emoji/v2/... draggable="false" alt="🇹🇼" title="Flag of Taiwan" aria-label="Emoji: Flag of Taiwan">

And of late, iPhones in Hong Kong have started hiding it from input. [ https://www.theverge.com/2019/10/7/20903613/apple-hiding-taiwan-flag-emoji-hong-kong-macau-china]

https://www.theverge.com/2019/10/7... href=" https://twitter.com/thisboyuan/status/1179681769022353409

All">https://twitter.com/thisboyua... these can make for input difficulties.