describes exactly why having complex passwords does not gain security as much as adding length to a password will do
I am in full agreement with respect to entropy. I did provide some entropy calculations comparing adding unicode characters vs increasing the password length with “normal” characters, and I characterized the results for adding 1 or 2 unicode characters as “underwhelming”, which I think is similar to what you’re saying. I went on to discuss some factors outside of entropy.
So from my point of view it would be the much easier and safer way to create a long passwords based for example on a sentence than trying to use Unicode character in the password to make it more complex.
I can appreciate that, and I’m definitely not suggesting what anyone else should do.
From my thinking it can be helpful to introduce complexity into the mix to to reduce the number of characters that have to be typed. The number of characters is a lot more of an issue on mobile platforms than pc because it’s hard to type long things on mobile keyboad (my phone disables swiping mode for passwords). For me it’s an interesting mental challenge to come up with memorable and unique ways to increase entropy without raising the number of characters too high. The practicality is certainly subject to debate and is in part tied to our ability to remember these things and our ability to enter them quickly. The emoji keyboard does indeed provide for rapid entry if we can remember where to find them and where to plug them into our password. I don’t rule out there may be even easier ways to enter unicodes that I haven’t fully explored, especially custom mapping of keyboards.
And he also did some math on the effort of bruteforcing a cryptomator vault.
EDIT - I missed that the first time around. There was a very interesting thing in your link about the “key derivation function”. The crackability of the password is not just dependent upon the entropy of the password itself, but also upon the way the password is processed (that key derivation function). Cryptomator apparently includes a key derivation function that makes a given password a lot less crackable than it would be when used in other applications. I’ll have to read up on that, could make most of my post irrelevant.