explain xkcd - User contributions [en]

Talk:1998: GDPR

2018-05-29T11:55:43Z

141.101.104.53:

This comic is a joke privacy policy, playing off a few things.
Everyone right now is updating their privacy policy to meet the new requirements from the European Union coming into effect today, 2018-05-25, the GDPR. Link to wikipedia: [https://en.wikipedia.org/wiki/General_Data_Protection_Regulation].
It also is pointing out that no one ever reads them "by using this website you opt in to quartering troops in your home", something you probably did not agree to.
--[[User:Fwacer|Fwacer]] ([[User talk:Fwacer|talk]]) 19:35, 25 May 2018 (UTC)

:Your wording "joke privacy policy" is really good and you should add it to the existing explanation. [[User:Lassombra|Lassombra]] ([[User talk:Lassombra|talk]]) 19:41, 25 May 2018 (UTC)
:: Thanks, I have added that. First edit! --[[User:Fwacer|Fwacer]] ([[User talk:Fwacer|talk]]) 20:25, 25 May 2018 (UTC)

Fortunately, this doesn't appear to supersede the Shadow Proclamation. Also, I wouldn't mind quartering troops in my home if they were sexy... [[Special:Contributions/172.68.90.82|172.68.90.82]] 20:56, 25 May 2018 (UTC) SiliconWolf

I wonder if this is the privacy policy of Beret Guy's company since he mentioned in the last comic that people keep sending them personal info even though they had asked them to stop.--[[Special:Contributions/172.69.42.112|172.69.42.112]] 21:07, 25 May 2018 (UTC)

What's the deal with the "Created by a Bot" coming up with relevant jokes as to what the explanation was created by? I didn't search exhaustively, but couldn't find any hints in other discussion pages. Is there a link to a discussion on this? Who did this? Dgbrt? I'm very curious. 00:30, 26 May 2018 (UTC) {{unsigned|DanB}}
:I've written the program creating the new pages when a new comic is out. It's run by the profile [[User:DgbrtBOT|DgbrtBOT]]. This ensures that all comic pages look similar, the navigation works, and more. --[[User:Dgbrt|Dgbrt]] ([[User talk:Dgbrt|talk]]) 01:12, 26 May 2018 (UTC)
::I see that now. But didn't it used to just say "Created by a bot" and not "Created by ''something relevant''"? Or has it always done that and I missed it? Is it a reference to a comic, or just something fun? Thanks for all your work on this site, by the way. [[User:DanB|DanB]] ([[User talk:DanB|talk]]) 17:40, 26 May 2018 (UTC)
:::The original text is: ''"Created by a BOT - Please change this comment when editing this page. Do NOT delete this tag too soon."'' Check the history. And when a new comic is out there is always a race about being the first to change the word ''BOT'' to something else. It was funny when that happened first, but as every joke it isn't funny anymore when it's overused. --[[User:Dgbrt|Dgbrt]] ([[User talk:Dgbrt|talk]]) 19:01, 26 May 2018 (UTC)

It also means if you are not a citizen of the European Union, your organs can be harvested without permission, doesn't it? {{unsigned ip|162.158.62.39}}
:That depends on whether you have instructed that your whole body be supercool-vitrified and stored around Titan for until the exoplanet colony ships depart. [[Special:Contributions/172.68.34.106|172.68.34.106]] 05:54, 26 May 2018 (UTC)

This comic failed to allow me to turn off everything Trump has ever tried to pay for; therefore, Randall owes me €300,000. [[Special:Contributions/172.68.34.106|172.68.34.106]] 05:54, 26 May 2018 (UTC)

Point of technicality:
:''"purely out of the goodness of our hearts" is a phrase never expected to be found ever anywhere in any privacy policy''
Aren't I allowed to block ads from funding sources which include organizations whose privacy policies don't provide goods or services purely out of the goodness of their hearts? [[Special:Contributions/172.68.34.106|172.68.34.106]] 06:17, 26 May 2018 (UTC)

;...similar laws preventing troops being quartert in ones home also exist in European countries
I don't know every European constitution but I probably would know this. The ''Third Amendment to the United States Constitution'' seems to be very unique to me. Laws about troops should exist in every country but this is about a ''constitution''. If nobody disagrees this has to be removed or enhanced. --[[User:Dgbrt|Dgbrt]] ([[User talk:Dgbrt|talk]]) 14:58, 26 May 2018 (UTC)
::I don't know, I can say for myself that when I read "similar laws", I understood just that - laws. I don't think the sentence implies it is also part of the constitution in those countries. But if you misread it that way, others may, too, and ambiguity is never a good thing, so feel free to clear it up if you want, but I wouldn't remove the reference to those laws entirely. [[User:Jaalenja|Jaalenja]] ([[User talk:Jaalenja|talk]]) 06:06, 28 May 2018 (UTC)
:::suggest changing to "but then immediately forces the user to agree to quarter troops in their home, which is a violation of the Third Amendment to the United States Constitution and against the law in many other countries." or something along those lines, would read much clearer. Please excuse if my formatting sucks, this is my first wiki suggestion, ever, ya done popped my cherry. SPeD[[Special:Contributions/173.245.52.121|173.245.52.121]] 08:30, 28 May 2018 (UTC)
::::In Germy, while not specifying statoning of troops directly, §13 Grundgesetz guarantees the inviolability of the apartment. Stationing troops in ones home would violate that part of the German constitution. [[Special:Contributions/162.158.89.37|162.158.89.37]] 12:15, 28 May 2018 (UTC)
I summarize: Explicitly mentioning ''troops being quartert in ones home'' is unique to the US constitution but most other countries have more common articles preventing the same. This narrow description on this matter only exists in the ''Third Amendment''. --[[User:Dgbrt|Dgbrt]] ([[User talk:Dgbrt|talk]]) 14:02, 28 May 2018 (UTC)

;Moved from the first paragraph
:''- this is incorrect, EU law applies to all legal entities currently physically within the EU - just like every other law and state in the world. If xkcd has a legal representative of some kind in the EU then it would be enforceable on that representative. so much fud.)''
This was entered by IP 162.158.38.70 at the explanation but should be discussed here which may be followed by some changes in the explanation. Please do not enter discussions at the explanation. --[[User:Dgbrt|Dgbrt]] ([[User talk:Dgbrt|talk]]) 18:48, 26 May 2018 (UTC)
::False. GDPR art. 3 (2): "This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union." So, if you're not physically present in the UE it might be harder to enforce, but may still be applicable. Don't want that? Then don't track EU citizens, or simply don't do business there at all.--[[Special:Contributions/162.158.91.89|162.158.91.89]] 10:26, 28 May 2018 (UTC)
:::Thanks, it's obvious the first paragraph in the explanation is correct. We should accompany it with a proper link. --[[User:Dgbrt|Dgbrt]] ([[User talk:Dgbrt|talk]]) 14:02, 28 May 2018 (UTC)
::::Done. A link to ''eugdpr.org'' seems better than a Wikipedia article. --[[User:Dgbrt|Dgbrt]] ([[User talk:Dgbrt|talk]]) 15:55, 28 May 2018 (UTC)
:::::You are aware that eugdpr.org is not an official site? I'd expect it to be abandoned when the whole GDPR hype is over. [[Special:Contributions/162.158.93.39|162.158.93.39]] 17:39, 28 May 2018 (UTC)
::::::Yes, I'm aware of this. But Wikipedia isn't too. Any better idea? I wouldn't mind. --[[User:Dgbrt|Dgbrt]] ([[User talk:Dgbrt|talk]]) 18:21, 28 May 2018 (UTC)
:::::::I think [http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679] is the official page. [[User:Jdluk|Jdluk]] ([[User talk:Jdluk|talk]]) 10:26, 29 May 2018 (UTC)

"Permissions" reminds me of Monty Python's Meaning of Life Part V: Live Organ Transplants. See https://www.youtube.com/watch?v=Sp-pU8TFsg0 {{unsigned ip|162.158.75.4}}

;Policy is not an Agreement?
The explanation mentions in several places "the agreement" -- my understanding of a privacy policy is that it is more like a promise than an agreement; the entity declaring the policy is bound to it whether I agree to it or not. It lays out rules that the site operator will adhere to in obtaining consent, which seems different from an agreement to me. [[Special:Contributions/162.158.93.39|162.158.93.39]] 17:35, 28 May 2018 (UTC)

Here in the netherlands, there is a law going into effect in a few years that allows the government to harvest your organs after death even without permission, as long as you didn't register against this. This sounds plenty like the organ harvesting part. [[Special:Contributions/141.101.104.53|141.101.104.53]] 11:55, 29 May 2018 (UTC)

1805: Unpublished Discoveries

2017-09-20T04:49:49Z

141.101.104.53: /* Explanation */

{{comic
| number = 1805
| date = March 1, 2017
| title = Unpublished Discoveries
| image = unpublished_discoveries.png
| titletext = If you must know, I'm currently researching how to save this emailed tax form as a regular PDF so I can print and sign it. Our work isn't a lock for the Nobel, but we're in the running.
}}

==Explanation==
{{incomplete|It is being discussed in the talk page if the tax return is a rouse to get Ponytail to back off or not. Current explanation leaves the option for both possibilities open in the title text explanation. Too many external links -- the explanation is not a link list!}}

[[Ponytail]] walks up to [[Megan]], and makes the observation that when a scientific discovery is made, it then takes a while to publish it. She then goes on to note that there are probably research teams making {{w|Nobel Prize|"Nobel-Prize-worthy"}} discoveries that have simply not been published. She is obviously curious if Megan is working on something like this, and tries to see what Megan is working on, but Megan prevents her from seeing this by partly closing her laptop. Then Ponytail asks Megan what she is doing but Megan just tells her that she isn't the one working on a project like this and ask her to "Go bother someone else."

This is not the first time Ponytail asks Megan if she is working on some groundbreaking research project: Back in [[1067: Pressures]], Ponytail was probing Megan about her work, since, as hinted by the caption of that comic, Megan is a Swiss patent clerk just like {{w|Albert Einstein}}. Ponytail thus assumes she has the same potential to produce Nobel-Prize-worthy work as him. While there is no clear indication that this comic should be a continuation of that comic or that Megan is a patent clerk, Ponytail still assumes Megan is on her way to a Nobel Prize - but that Megan is just not yet ready to announce her discovery to the public for one reason or another.

In the first two panels, [[Ponytail]] is referring to the general issue that, to publish a discovery on a scientific topic, it can take a very long time, especially when the discovery is [http://www.preposterousuniverse.com/blog/2005/09/16/einstein-vs-physical-review/ "Nobel-Prize-worthy"]. Obviously the first step is for the researcher to demonstrate rigor by more supporting experiments (see [[397: Unscientific]]), plus summarize the discovery into the format accepted by the {{w|scientific journal|journal}} the {{w|scientific paper|paper}} is submitted too. The latter can take considerable time by itself, especially if the first journal the paper is submitted to declines publication. Because other journals chosen afterwards may have a completely different layout (for instance in physics, the journal with the greatest {{w|impact factor}} is {{w|Nature (journal)|Nature}}, then followed by for instance {{w|Science (journal)|Science}} and then {{w|Physical Review Letters}}. All three have very different layouts regarding format and figures etc. Thus the paper may need to be submitted to various journals [http://www.phdcomics.com/comics.php?f=1888 until one accepts], which may also take a few months, and even when accepted it can take anywhere from 25 days to 150+ days just for the paper to be processed through the publishing system [http://www.nature.com/news/does-it-take-too-long-to-publish-research-1.19320 due to various reasons], including [http://www.phdcomics.com/comics/archive.php?comicid=1200 the nature of the publishing process], [http://www.phdcomics.com/comics.php?f=1760 reviewers] [http://www.phdcomics.com/comics/archive.php?comicid=538 assigning extra work as conditions for acceptance], or even [http://www.phdcomics.com/comics/archive.php?comicid=178 formatting problems]. This has prompted researchers to come up with some [http://www.phdcomics.com/comics/archive.php?comicid=926 interesting] [http://www.phdcomics.com/comics/archive.php?comicid=581 work-arounds].

In the title text, Megan claims that she is actually just trying to convert an emailed {{w|tax form}} to a PDF. This could of course just be to ward of any further attempts by Ponytail to spy on her "real" Nobel-worthy work. Megan sarcastically states that her conversion of tax forms is in the running for a Nobel Prize, perhaps because she considers it an incredibly difficult task (even for these things that should not be hard - see [[1349: Shouldn't Be Hard]]). While this could be true, this task is in no way connected to any kind of scientific endeavor, and as a result could never be considered for any kind of Nobel Prize. That the task is so difficult is though officially acknowledged by the {{w|IRS}} as they themselves note that saving and printing their [https://www.irs.com/articles/online-tax-forms Online tax forms] could be tricky. Quote:
:'''Fill-In Tax Forms'''
:''The IRS also offers Free Fillable Forms which allow you to save (and print) the information you’ve typed in online. The fill-in tax forms also require Adobe Acrobat Reader software. To save the data you’ve filled in, use the Adobe Reader’s “Save” function (not the web browser’s “Save” function). ...''

The months and weeks before April 15th (this comic was released on March 1st), is the "tax season" in the US so Americans are in the process of completing their tax forms, which is why this comic is timely. Given the US tax code is complained by many to be [http://time.com/4286921/complex-tax-code/ too complex], it is possible for researchers to delay publication of their discoveries to deal with their tax returns first. This can cause people to "sit on their discovery" for a while, although [http://www.nolo.com/legal-encyclopedia/how-much-time-do-you-spend-preparing-your-tax-return.html hopefully not as long] as the task of publishing itself.

==Transcript==
:[Ponytail walks up to Megan, who is sitting in an office chair at a desk using her laptop.]
:Ponytail: When you make a big scientific discovery, it takes a while to get it published.
:Ponytail: Right?
:Megan: Mm hmm.

:[Zoom-in on Ponytail.]
:Ponytail: So there are probably several research teams out there who are sitting on Nobel-Prize-worthy discoveries, but haven't told the rest of us yet.
:Megan (off-panel): Makes sense.

:[Ponytail leans over the desk, trying to see Megan's laptop screen from behind it.]

:[Ponytail leans further. Megan pulls the screen down so Ponytail cannot see it.]
:Ponytail: Sooo... What are you working on?
:Megan: ''It isn't me!''
:Ponytail: I promise I won't tell.
:Megan: Shoo! Go bother someone else.

{{comic discussion}}

[[Category:Comics featuring Ponytail]]
[[Category:Comics featuring Megan]]
[[Category:Science]]
[[Category:Computers]]

1512: Horoscopes

2015-04-16T05:39:39Z

141.101.104.53: about US-centricity

{{comic
| number = 1512
| date = April 15, 2015
| title = Horoscopes
| image = horoscopes.png
| titletext = If you live in the Northern hemisphere, anyway. In the southern hemisphere, due to the coriolis effect, babies are born nine months BEFORE they're conceived.
}}
==Explanation==
{{w|Horoscopes}} purport to predict someone's personality or future, depending on the position of planets and stars at the time of their birth and at present. Horoscopes commonly group people into twelve groups based on {{w|zodiac signs}}. The Zodiac signs are based on twelve constellations that follow the approximate path of the sun in our night sky. One's zodiac sign is determined by the position of the sun on their birthday, with each sign representing a specific approximately one-month period.

Today, horoscopes are admitted to be {{w|pseudoscience}} which is why the comic jokes about the fact that its horoscopes at least ''may'' be true (at least for someone born after a full term pregnancy). Actual horoscopes are typically so vague that they could be true for almost anyone regardless of their sign. Note that this horoscope is tailored for an audience in the {{w|United States}}, as most cultural references are centered on "Western" culture, and several won't even work in Europe, for example. With the principle understood, it is easy to apply local traditions for more accuracy in non-Western cultures, however.

Since the 12 category zodiac signs in horoscopes are based on birthday dates, [[Randall]] can do some informed guess about the context of someone's {{w|Fertilisation|conception}} (i.e., what was happening nine months before they were born, apart from the {{w|Sexual intercourse|obvious}}), depending on the sign. For example, {{w|Virgo (astrology)|Virgo}} are born between August 23 and September 22, so based on a 9-month gestational period, they were likely {{w|Fertilisation|conceived}} shortly before Christmas, leading to the guess "You may have been conceived while a Christmas song played". Randall also phrases his "predictions" as possibilities ("you may have") rather than declarations, acknowledging that unlike actual horoscopes, his don't necessarily apply to everyone. See detailed description in the [[#Table of Astrological signs|table]] below.

The title text refers to the {{w|Coriolis effect}} which occurs to a body that is moving on an object that is spinning. Since the Earth is rotating this leads to the fact that something that is moving on Earth feels a force (the Coriolis force) which causes the moving object to be deflected to the right in the {{w|northern hemisphere}} and to the left in the {{w|southern hemisphere}}. This effect is the reason that {{w|Coriolis_effect#Meteorology|weather systems}} (most clearly seen for {{w|hurricanes}}) rotate in one direction in the northern hemisphere and in the opposite direction in the southern hemisphere. There is also a common {{w|Coriolis_effect#Draining_in_bathtubs_and_toilets|misconception}} that the Coriolis force in respect of the Earth affects objects on a much smaller level, such as the direction water will spin down a drain in the two hemispheres (see also [[843: Misconceptions]]). The Coriolis force ''can'' also be experienced on a much smaller scale, for instance if you try to walk on a spinning carousel.

Randall plays on the misconception to make a joke involving reversing the flow of time. So whereas babies are born nine months '''after''' conception in the northern hemisphere (clockwise) the Coriolis effect is the reason why babies are being born nine months '''before''' in the southern hemisphere (counterclockwise). This may also be a play on the scientifically inaccurate principle used in the first ''{{w|Superman (1978)|Superman}}'' film, in which Superman reverses time by flying around the earth at high speed in the opposite direction of its rotation.

<s>In reality, the relevant difference between the northern and southern hemispheres is that the meteorological seasons are a half-year out of phase between the two. This renders some of the "predictions" (such as a hot day in August or people trapped by snow in January-February) invalid for the southern hemisphere.</s>

The humorously misinterpreted Coriolis effect explanation of a 9 month shift in the other direction actually functions correctly as an offset for the seasonal predictions. An easy way to count backward 9 months is to add three months. Adding 9 months (or going backward three months) will perform the correct seasonal offset for a southern hemisphere birth with respect to a northern hemisphere person's point of view.

Cf. the Weird Al song ''Horoscope for Today'' which also makes vague guesses, only they refer to bizarre events and tasks.

==Table of Astrological signs==
Here below is a table with data and explanation of the individual horoscopes:
{| class="wikitable"
!{{w|Astrological sign|Astrological sign}}
!English name
!{{w|Birthday}} range
!Expected {{w|Fertilisation|conception}}
!Horoscope prediction
!Explanation
|-
|♈ {{w|Aries (astrology)|Aries}}
|The Ram
|March 21 - April 21
|June 14 - July 14
|You may have been conceived after a 4th of July fireworks show
|In the US the {{w|Independence Day (United States)|Independence Day}} is celebrated on the 4th of July, and this is customarily celebrated with huge fireworks. Fireworks are also often used in movies to depict the culmination of sex (i.e. the orgasm), and hence the potential for conception.
|-
|♉ {{w|Taurus (astrology)|Taurus}}
|The Bull
|April 20 - May 20
|July 13 - August 13
|You may have been conceived on a hot August day
|In most of the northern hemisphere there are many hot days in {{w|August}}. Sometimes hot days increase lust, especially if it's too hot to go out or do anything else.
|-
|♊ {{w|Gemini (astrology)|Gemini}}
|The Twins
|May 21 - June 21
|August 14 - September 14
|You may have been conceived as the leaves began to change
|In the northern part of the northern hemisphere the {{w|autumn}} starts at the end of this time period, so the leaves will begin to change color.
|-
|♋ {{w|Cancer (astrology)|Cancer}}
|The Crab
|June 21 - July 21
|September 14 - October 14
|You may have been conceived by people trying on costumes
|This period ends 10 days before {{w|Halloween}}, so it is not unlikely that the people who conceived you (mom and dad) tried on their new costumes when they made you.
|-
|♌ {{w|Leo (astrology)|Leo}}
|The Lion
|July 22 - August 23
|October 15 - November 16
|You may have been conceived during thanksgiving
|{{w|Thanksgiving}} is celebrated in the US on fourth Thursday of November, which for only two out of seven years will lie before the 23rd of November. However many people are born before 9 months so it is not unlikely for someone born as a Leo to be conceived on this day.
|-
|♍ {{w|Virgo (astrology)|Virgo}}
|The Maiden
|August 23 - September 22
|November 16 - December 15
|You may have been conceived while a Christmas song played
|It is very common for {{w|Christmas}} songs to be played in the month before Christmas
|-
|♎ {{w|Libra (astrology)|Libra}}
|The Scales
|September 22 - October 23
|December 15 - January 16
|You may have been conceived after a new year's eve party
|Since {{w|New Year's Eve}} always falls on December 31, and since the party goes on into the new year this fits with Libra. As it is very likely that people are together in a way that may lead to conception at this type of parties, there may even be rather more than a 30th part of the people that are Libra that are conceived at such a party.
|-
|♏ {{w|Scorpio (astrology)|Scorpio}}
|The Scorpion
|October 23 and November 22
|January 16 - February 15
|You may have been conceived by people stuck inside after a long winter
|This period is during the coolest part and towards the end of the {{w|winter}} in the northern hemisphere. People may even be forced to stay at home due to snow. When people have nothing else to do [https://www.google.dk/search?q=babies+9+month+after+snowstorm&ie=utf-8&oe=utf-8&gws_rd=cr&ei=qzkuVcjAE4qsswGevoC4CQ many babies are born 9 months later].
|-
|♐ {{w|Sagittarius (astrology)|Sagittarius}}
|The Archer
|November 22 - December 21
|February 15 - March 14
|You may have been conceived during March madness
|Although originally the early part of the mating season for the {{w|European Hare}}, in which females fight off male suitors, in a US context this is an American college Basketball tournament [http://www.ncaa.com/march-madness].
|-
|♑ {{w|Capricorn (astrology)|Capricorn}}
|The Goat
|December 22 - January 19
|March 15 - April 12
|You may have been conceived during a sexy Easter Egg hunt
|{{w|Easter}} falls between {{w|List_of_dates_for_Easter#Earliest_Easter|March 22}} and {{w|List_of_dates_for_Easter#Latest_Easter|April 25}} so most {{w|Egg hunt|Easter Egg hunt}}, sexy or not, will fall in the relevant period to conceive Capricorn children. The goal of an Easter egg hunt can be to find as many eggs in a given time, or find a sequence of eggs, each containing a clue to the next. It is not difficult to think of adult variations on these themes. Most Egg hunts do not involve people who should make them sexy! On the other hand, the egg itself, as an Easter symbol, is a symbol of fertility.
|-
|♒ {{w|Aquarius (astrology)|Aquarius}}
|The Water Carrier
|January 20 - February 18
|April 13 - May 11
|You may have been conceived on Mother's day
|{{w|Mother's Day}} in the USA,and some other countries, is on the second Sunday in May, between the 8th and 14th of May.
|-
|♓ {{w|Pisces (astrology)|Pisces}}
|The Fish
|February 19 - March 20
|May 12 - June 13
|You may have been conceived at someone's wedding
|It is not uncommon that people meet and even go so far as to risk conceiving a child at someones {{w|wedding}}, and June is widely reported as the most popular month for weddings in the United States. The tradition of a June Bride (late spring and beginning of summer in the northern hemisphere) may be an old one and hence explains the reference for Pisces which lies mainly in June. [https://open.abc.net.au/explore/22074 ABC claim] that in the 15th and 16th century, May would have been the month for an "annual bath", and moreover {{w|June}} is named for {{w|Juno (mythology)|Juno}}, goddess of the home and hearth.
|}

==Transcript==
:[Above the frame:]
:'''Horoscopes'''
:With an actual basis in fact
:[A list with the name of each astrological sign in the first column (in gray) and a horoscope for each sign in the second column. Here given in table form]
:{| class="wikitable"
! Aries
| You may have been conceived after a 4th of July fireworks show
|-
! Taurus
| You may have been conceived on a hot August day
|-
! Gemini
| You may have been conceived as the leaves began to change
|-
! Cancer
| You may have been conceived by people trying on costumes
|-
! Leo
| You may have been conceived during Thanksgiving
|-
! Virgo
| You may have been conceived while a Christmas song played
|-
! Libra
| You may have been conceived after a New Year’s Eve party
|-
! Scorpio
| You may have been conceived by people stuck inside after a long winter
|-
! Sagittarius
| You may have been conceived during March Madness
|-
! Capricorn
| You may have been conceived during a sexy Easter egg hunt
|-
! Aquarius
| You may have been conceived on Mother's day
|-
! Pisces
| You may have been conceived at someone's wedding
|}

{{comic discussion}}


[[Category:Chart]]
[[Category:Sex]]
[[Category:Christmas]]

Talk:936: Password Strength

2014-12-04T13:14:54Z

141.101.104.53:

You still have to vary the words with a bit of capitalization, punctuation and numbers a bit, or hackers can just run a dictionary attack against your string of four words. '''[[User:Davidy22|{{Color|purple|David}}y²²]]'''[[User talk:Davidy22|<tt>[talk]</tt>]] 09:12, 9 March 2013 (UTC)

No you don't. Hackers cannot run a dictionary attack against a string of four randomly picked words.
Look at the number of bits displayed in the image: 11 bits for each word.
That means he's assuming a dictionary of 2048 words, from which each word is picked randomly.
The assumption is that the cracker knows your password scheme.
[[Special:Contributions/86.81.151.19|86.81.151.19]] 20:17, 28 April 2013 (UTC)
Willem

:I just wrote a program to bruteforce this password creation method. https://github.com/KrasnayaSecurity/xkcd936/blob/master/listGen936.py Once I get it I'll try coming up with more bruteforcing algorithms such as substituting symbols, numbers, camel case, and the like. Point is, don't rely on this or any one method. I wouldn't be surprised if the crackers are already working on something like this. [[User:Lieutenant S.|Lieutenant S.]] ([[User talk:Lieutenant S.|talk]]) 07:03, 8 September 2014 (UTC)
:It took 1.25 hours to bruteforce "correcthorsebatterystaple" using the 2,000 most common words with one CPU. [[User:Lieutenant S.|Lieutenant S.]] ([[User talk:Lieutenant S.|talk]]) 07:09, 9 September 2014 (UTC)
:: 1) ... as compared to 69 milliseconds for the other method. 2) Since you are able to test 3,9 billion passwords as second (very impressive!) I am guessing that your setup is not performing its attack over a ”weak remote service”, which is breaking the rules of the #936 game. 3) five words and a 20k-wordlist would get you 9400 years (still breaking the weak remote service rule).--[[User:Gnirre|Gnirre]] ([[User talk:Gnirre|talk]]) 09:13, 14 October 2014 (UTC)

Sometimes this is not possible. (I'm looking at you, local banks with 8-12 character passwords and PayPal) If I can, I use a full sentence. A compound sentence for the important stuff. This adds the capitalization, punctuation and possibly the use of numbers while it's even easier to remember then Randall's scheme. I think it might help against the keyloggers too, if your browser/application autofills the username filed, because you password doesn't stand out from the feed with being gibberish. [[Special:Contributions/195.56.58.169|195.56.58.169]] 09:01, 30 August 2013 (UTC)

The basic concept can be adapted to limited-length passwords easily enough: memorize a phrase and use the first letter of each word. It'll require about a dozen words (you're only getting 4.7 bits per letter at best, actually less because first letters of words are not truly random, though they are weakly if at all correlated with their neighbors -- based on the frequencies of first letters of words in English, and assuming no correlation between each first letter and the next, I calculate about 4 bits per character of Shannon entropy). SteveMB 18:35, 30 August 2013 (UTC)

Followup: The results of extracting the first letters of words in sample texts (the {{w|Project_Gutenberg|Project Gutenberg}} texts of ''The Adventures of Huckleberry Finn'', ''The War of the Worlds'', and ''Little Fuzzy'') and applying a {{w|Entropy_(information_theory)|Shannon entropy calculation}} were 4.07 bits per letter (i.e. first letter in word) and 8.08 bits per digraph (i.e. first letters in two consecutive words). These results suggest that first-letter-of-phrase passwords have approximately 4 bits per letter of entropy. --[[User:SteveMB|SteveMB]] ([[User talk:SteveMB|talk]]) 14:21, 4 September 2013 (UTC)

Addendum: The above test was case-insensitive (all letters converted to lowercase before feeding them to the [[http://millikeys.sourceforge.net/freqanalysis.html frequency counter]]). Thus, true-random use of uppercase and lowercase would have 5 bits per letter of entropy, and any variation in case (e.g. preserving the case of the original first letter) would fall between 4 and 5 bits per letter. --[[User:SteveMB|SteveMB]] ([[User talk:SteveMB|talk]]) 14:28, 4 September 2013 (UTC)

I just have RANDOM.ORG print me ten pages of 8-character passwords and tape it to the wall, then highlight some of them and use others (say two down and to the right or similar) for my passwords, maybe a given line a line a little jumbled for more security. [[Special:Contributions/70.24.167.3|70.24.167.3]] 13:27, 30 September 2013 (UTC)
:Remind me to visit your office and secretly replace your wall-lists by a list of very similar looking strings ;) --[[User:Chtz|Chtz]] ([[User talk:Chtz|talk]]) 13:53, 30 September 2013 (UTC)

Simple.com (online banking site) had the following on it’s registration page:

“Passphrase? Yes. Passphrases are easier to remember and more secure than traditional passwords. For example, try a group of words with spaces in between, or a sentence you know you'll remember. "correct horse battery staple" is a better passphrase than r0b0tz26.”

Online security for a banking site has been informed by an online comic. Astounding.
[[Special:Contributions/173.245.54.78|173.245.54.78]] 21:22, 11 November 2013 (UTC)

The Web service Dropbox has an Easter egg related to this comic on their sign-up page. That page has a password strength indicator (powered by JavaScript) which changes as you type your password. This indicator also shows hints when hovering the mouse cursor over it. Entering "Tr0ub4dor&3" or "Tr0ub4dour&3" as the password causes the password strength indicator to fall to zero, with the hint saying, "Guess again." Entering "correcthorsebatterystaple" as the password also causes the strength indicator to fall to zero, but the hint says, "Whoa there, don't take advice from a webcomic too literally ;)." [[Special:Contributions/108.162.218.95|108.162.218.95]] 15:17, 11 February 2014 (UTC)

The explanation said that the comic uses a dictionary[http://www.explainxkcd.com/wiki/index.php?title=936:_Password_Strength&oldid=59309]. In fact it's a word list, which seems similar but it's not. All the words in the word list must be easy to memorize. This means it's better not to have words such as ''than'' or ''if''. Also, it's better not to have homophones (''wood'' and ''would'', for example). The sentence ''dictionary attack'' doesn't apply here. A dictionary attack requires the attacker to use all the words in the dictionary (e.g. 100,000 words). Here we must generate the 17,592,186,044,416 combinations of 4 common words. Those combinations can't be found in any dictionary. At 25 bytes per "word" that dictionary would need 400 {{w|tebi|binary terabytes}} to be stored. [[User:Xhfz|Xhfz]] ([[User talk:Xhfz|talk]]) 21:37, 11 March 2014 (UTC)

This comic was mentioned in a TED talk by Lorrie Faith Cranor on in March 2014. After performing a lot of studies and analysis, she concludes that "pass phrase" passwords are no easier to remember than complex passwords and that the increased length of the password increases the number of errors when typing it. There is a lot of other useful information from her studies that can be gleaned from the talk. [http://www.ted.com/talks/lorrie_faith_cranor_what_s_wrong_with_your_pa_w0rd Link]. What she doesn't mention is the frequency of changing passwords - in most organizations it's ~90 days. I don't know where that standard originated, but (as a sys admin) I suspect it's about as ineffective as most of our other password trickery - that is that it does nothing. Today's password thieves don't bash stolen password hash tables, they bundle keyloggers with game trainers and browser plugins.--[[Special:Contributions/173.245.50.75|173.245.50.75]] 18:14, 2 July 2014 (UTC)
:: Lorrie Faith Cranor gets the random part of #936 word generation correct, which is great. Regarding memorizability, this study (https://cups.cs.cmu.edu/soups/2012/proceedings/a7_Shay.pdf) does not address #936. The study uses no generator for gibberish of length 11. Most comparable are perhaps two classes of five or six randomly assigned characters. None of the study's generators has 44 bits of entropy – its dictionary for the method closest to #936 – noun-instr – contains only 181 nouns. The article contains no discussion of the significance of these differences to #936. In her TED Lorrie Faith Cranor says ”sorry all you xkcd fans” which could be interpreted as judgement of #936, but there is no basis in the above article for that. It does however seem plausible that the report could be reworked to address #936. --[[User:Gnirre|Gnirre]] ([[User talk:Gnirre|talk]]) 10:42, 14 October 2014 (UTC)

:Password-changing frequency isn't about making passwords more ''secure'', but instead it's about ''mitigating the damage'' of a successfully cracked password. If a hacker gets your password (through any means) and your password changes every 90 days, the password the hacker has obtained is only useful for a few months at most. That might be enough, but it might not. If the hacker is brute forcing the passwords to get them, that cuts into the time the password is useful. --[[Special:Contributions/173.245.54.168|173.245.54.168]] 22:22, 13 October 2014 (UTC)
::However, brute-forcing gets much ''easier'' that way.
::Say the average employee is around for 10 years, which is reasonable for some companies , absurdly high for others, and a bit low for a family business. That's 40 password changes.
::Now if you have to remember another password every now and then, you sacrifice complexity, lest you forget it. A factor of 40 is like one character less. But how much shorter will the password be? It's more likely that it's gonna be 3 or 4 characters less. Congrats, you just a factor of 1000's for a perceived "mitigation", which doesn't even work. Pro attackers can vacuum your server in a DAY once they have the PW. [[Special:Contributions/141.101.104.53|141.101.104.53]] 13:03, 4 December 2014 (UTC)

Just because you are required to have a password that has letters and numbers in it doesn't mean you can't make it memorable. When caps are required, use CamelCase. When punctuation is required, make it an ampersand (&) or include a contraction. When numbers are required, pick something that has significance to you (your birthday, the resolution of your television, ect.). Keep in mind that, if your phrase is an actual sentence, the password entropy is 1.1 bits per character (http://what-if.xkcd.com/34), so length is key if you want your password to be secure. (Though no known algorithm can actually exploit the 1.1 bits of entropy to gain time, so it might be more like 11 bits of entropy per word. Even then, my passwords have nonexistent and uncommon words in them, (like doge or trope), which also adds some entropy.) [[Special:Contributions/108.162.246.213|108.162.246.213]] 22:18, 1 September 2014 (UTC)
:Flip side of the story, the "capital plus small plus other char" policy doesn't make your password any safer.
:The German company T-online had an experimental gateway with the password, "internet". Now that sucked. No problem, tho, because that gateway wasn't accessible from outside. When they went live, they "improved" the password to "Internet1". There are still lots of these passwords around: first letter is a Cap, and the only non-alphabetic char is a 1 at the end. This doesn't add any entropy. [[Special:Contributions/141.101.104.53|141.101.104.53]] 13:03, 4 December 2014 (UTC)
::[http://ask.metafilter.com/193052/Oh-Randall-you-do-confound-me-so#2779020 This] shows that about one third of all digits in a sample of passwords was "1" . [[Special:Contributions/141.101.104.53|141.101.104.53]] 13:14, 4 December 2014 (UTC)
You can also troll the brute-force engine by using words from other languages, fictional books and video games.--[[User:Horsebattery|Horsebattery]] ([[User talk:Horsebattery|talk]]) 03:04, 3 November 2014 (UTC)
:That's a good idea; it adds to the entropy bits per word. If you really want to throw them off, mix different languages. Just don't use very well-known words; I'm sure the hackers have ''cojones'' and ''Blitzkrieg'' in their dictionaries. [[Special:Contributions/141.101.104.53|141.101.104.53]] 13:03, 4 December 2014 (UTC)

Talk:936: Password Strength

2014-12-04T13:03:08Z

141.101.104.53:

You still have to vary the words with a bit of capitalization, punctuation and numbers a bit, or hackers can just run a dictionary attack against your string of four words. '''[[User:Davidy22|{{Color|purple|David}}y²²]]'''[[User talk:Davidy22|<tt>[talk]</tt>]] 09:12, 9 March 2013 (UTC)

No you don't. Hackers cannot run a dictionary attack against a string of four randomly picked words.
Look at the number of bits displayed in the image: 11 bits for each word.
That means he's assuming a dictionary of 2048 words, from which each word is picked randomly.
The assumption is that the cracker knows your password scheme.
[[Special:Contributions/86.81.151.19|86.81.151.19]] 20:17, 28 April 2013 (UTC)
Willem

:I just wrote a program to bruteforce this password creation method. https://github.com/KrasnayaSecurity/xkcd936/blob/master/listGen936.py Once I get it I'll try coming up with more bruteforcing algorithms such as substituting symbols, numbers, camel case, and the like. Point is, don't rely on this or any one method. I wouldn't be surprised if the crackers are already working on something like this. [[User:Lieutenant S.|Lieutenant S.]] ([[User talk:Lieutenant S.|talk]]) 07:03, 8 September 2014 (UTC)
:It took 1.25 hours to bruteforce "correcthorsebatterystaple" using the 2,000 most common words with one CPU. [[User:Lieutenant S.|Lieutenant S.]] ([[User talk:Lieutenant S.|talk]]) 07:09, 9 September 2014 (UTC)
:: 1) ... as compared to 69 milliseconds for the other method. 2) Since you are able to test 3,9 billion passwords as second (very impressive!) I am guessing that your setup is not performing its attack over a ”weak remote service”, which is breaking the rules of the #936 game. 3) five words and a 20k-wordlist would get you 9400 years (still breaking the weak remote service rule).--[[User:Gnirre|Gnirre]] ([[User talk:Gnirre|talk]]) 09:13, 14 October 2014 (UTC)

Sometimes this is not possible. (I'm looking at you, local banks with 8-12 character passwords and PayPal) If I can, I use a full sentence. A compound sentence for the important stuff. This adds the capitalization, punctuation and possibly the use of numbers while it's even easier to remember then Randall's scheme. I think it might help against the keyloggers too, if your browser/application autofills the username filed, because you password doesn't stand out from the feed with being gibberish. [[Special:Contributions/195.56.58.169|195.56.58.169]] 09:01, 30 August 2013 (UTC)

The basic concept can be adapted to limited-length passwords easily enough: memorize a phrase and use the first letter of each word. It'll require about a dozen words (you're only getting 4.7 bits per letter at best, actually less because first letters of words are not truly random, though they are weakly if at all correlated with their neighbors -- based on the frequencies of first letters of words in English, and assuming no correlation between each first letter and the next, I calculate about 4 bits per character of Shannon entropy). SteveMB 18:35, 30 August 2013 (UTC)

Followup: The results of extracting the first letters of words in sample texts (the {{w|Project_Gutenberg|Project Gutenberg}} texts of ''The Adventures of Huckleberry Finn'', ''The War of the Worlds'', and ''Little Fuzzy'') and applying a {{w|Entropy_(information_theory)|Shannon entropy calculation}} were 4.07 bits per letter (i.e. first letter in word) and 8.08 bits per digraph (i.e. first letters in two consecutive words). These results suggest that first-letter-of-phrase passwords have approximately 4 bits per letter of entropy. --[[User:SteveMB|SteveMB]] ([[User talk:SteveMB|talk]]) 14:21, 4 September 2013 (UTC)

Addendum: The above test was case-insensitive (all letters converted to lowercase before feeding them to the [[http://millikeys.sourceforge.net/freqanalysis.html frequency counter]]). Thus, true-random use of uppercase and lowercase would have 5 bits per letter of entropy, and any variation in case (e.g. preserving the case of the original first letter) would fall between 4 and 5 bits per letter. --[[User:SteveMB|SteveMB]] ([[User talk:SteveMB|talk]]) 14:28, 4 September 2013 (UTC)

I just have RANDOM.ORG print me ten pages of 8-character passwords and tape it to the wall, then highlight some of them and use others (say two down and to the right or similar) for my passwords, maybe a given line a line a little jumbled for more security. [[Special:Contributions/70.24.167.3|70.24.167.3]] 13:27, 30 September 2013 (UTC)
:Remind me to visit your office and secretly replace your wall-lists by a list of very similar looking strings ;) --[[User:Chtz|Chtz]] ([[User talk:Chtz|talk]]) 13:53, 30 September 2013 (UTC)

Simple.com (online banking site) had the following on it’s registration page:

“Passphrase? Yes. Passphrases are easier to remember and more secure than traditional passwords. For example, try a group of words with spaces in between, or a sentence you know you'll remember. "correct horse battery staple" is a better passphrase than r0b0tz26.”

Online security for a banking site has been informed by an online comic. Astounding.
[[Special:Contributions/173.245.54.78|173.245.54.78]] 21:22, 11 November 2013 (UTC)

The Web service Dropbox has an Easter egg related to this comic on their sign-up page. That page has a password strength indicator (powered by JavaScript) which changes as you type your password. This indicator also shows hints when hovering the mouse cursor over it. Entering "Tr0ub4dor&3" or "Tr0ub4dour&3" as the password causes the password strength indicator to fall to zero, with the hint saying, "Guess again." Entering "correcthorsebatterystaple" as the password also causes the strength indicator to fall to zero, but the hint says, "Whoa there, don't take advice from a webcomic too literally ;)." [[Special:Contributions/108.162.218.95|108.162.218.95]] 15:17, 11 February 2014 (UTC)

The explanation said that the comic uses a dictionary[http://www.explainxkcd.com/wiki/index.php?title=936:_Password_Strength&oldid=59309]. In fact it's a word list, which seems similar but it's not. All the words in the word list must be easy to memorize. This means it's better not to have words such as ''than'' or ''if''. Also, it's better not to have homophones (''wood'' and ''would'', for example). The sentence ''dictionary attack'' doesn't apply here. A dictionary attack requires the attacker to use all the words in the dictionary (e.g. 100,000 words). Here we must generate the 17,592,186,044,416 combinations of 4 common words. Those combinations can't be found in any dictionary. At 25 bytes per "word" that dictionary would need 400 {{w|tebi|binary terabytes}} to be stored. [[User:Xhfz|Xhfz]] ([[User talk:Xhfz|talk]]) 21:37, 11 March 2014 (UTC)

This comic was mentioned in a TED talk by Lorrie Faith Cranor on in March 2014. After performing a lot of studies and analysis, she concludes that "pass phrase" passwords are no easier to remember than complex passwords and that the increased length of the password increases the number of errors when typing it. There is a lot of other useful information from her studies that can be gleaned from the talk. [http://www.ted.com/talks/lorrie_faith_cranor_what_s_wrong_with_your_pa_w0rd Link]. What she doesn't mention is the frequency of changing passwords - in most organizations it's ~90 days. I don't know where that standard originated, but (as a sys admin) I suspect it's about as ineffective as most of our other password trickery - that is that it does nothing. Today's password thieves don't bash stolen password hash tables, they bundle keyloggers with game trainers and browser plugins.--[[Special:Contributions/173.245.50.75|173.245.50.75]] 18:14, 2 July 2014 (UTC)
:: Lorrie Faith Cranor gets the random part of #936 word generation correct, which is great. Regarding memorizability, this study (https://cups.cs.cmu.edu/soups/2012/proceedings/a7_Shay.pdf) does not address #936. The study uses no generator for gibberish of length 11. Most comparable are perhaps two classes of five or six randomly assigned characters. None of the study's generators has 44 bits of entropy – its dictionary for the method closest to #936 – noun-instr – contains only 181 nouns. The article contains no discussion of the significance of these differences to #936. In her TED Lorrie Faith Cranor says ”sorry all you xkcd fans” which could be interpreted as judgement of #936, but there is no basis in the above article for that. It does however seem plausible that the report could be reworked to address #936. --[[User:Gnirre|Gnirre]] ([[User talk:Gnirre|talk]]) 10:42, 14 October 2014 (UTC)

:Password-changing frequency isn't about making passwords more ''secure'', but instead it's about ''mitigating the damage'' of a successfully cracked password. If a hacker gets your password (through any means) and your password changes every 90 days, the password the hacker has obtained is only useful for a few months at most. That might be enough, but it might not. If the hacker is brute forcing the passwords to get them, that cuts into the time the password is useful. --[[Special:Contributions/173.245.54.168|173.245.54.168]] 22:22, 13 October 2014 (UTC)
::However, brute-forcing gets much ''easier'' that way.
::Say the average employee is around for 10 years, which is reasonable for some companies , absurdly high for others, and a bit low for a family business. That's 40 password changes.
::Now if you have to remember another password every now and then, you sacrifice complexity, lest you forget it. A factor of 40 is like one character less. But how much shorter will the password be? It's more likely that it's gonna be 3 or 4 characters less. Congrats, you just a factor of 1000's for a perceived "mitigation", which doesn't even work. Pro attackers can vacuum your server in a DAY once they have the PW. [[Special:Contributions/141.101.104.53|141.101.104.53]] 13:03, 4 December 2014 (UTC)

Just because you are required to have a password that has letters and numbers in it doesn't mean you can't make it memorable. When caps are required, use CamelCase. When punctuation is required, make it an ampersand (&) or include a contraction. When numbers are required, pick something that has significance to you (your birthday, the resolution of your television, ect.). Keep in mind that, if your phrase is an actual sentence, the password entropy is 1.1 bits per character (http://what-if.xkcd.com/34), so length is key if you want your password to be secure. (Though no known algorithm can actually exploit the 1.1 bits of entropy to gain time, so it might be more like 11 bits of entropy per word. Even then, my passwords have nonexistent and uncommon words in them, (like doge or trope), which also adds some entropy.) [[Special:Contributions/108.162.246.213|108.162.246.213]] 22:18, 1 September 2014 (UTC)
:Flip side of the story, the "capital plus small plus other char" policy doesn't make your password any safer.
:The German company T-online had an experimental gateway with the password, "internet". Now that sucked. No problem, tho, because that gateway wasn't accessible from outside. When they went live, they "improved" the password to "Internet1". There are still lots of these passwords around: first letter is a Cap, and the only non-alphabetic char is a 1 at the end. This doesn't add any entropy. [[Special:Contributions/141.101.104.53|141.101.104.53]] 13:03, 4 December 2014 (UTC)

You can also troll the brute-force engine by using words from other languages, fictional books and video games.--[[User:Horsebattery|Horsebattery]] ([[User talk:Horsebattery|talk]]) 03:04, 3 November 2014 (UTC)
:That's a good idea; it adds to the entropy bits per word. If you really want to throw them off, mix different languages. Just don't use very well-known words; I'm sure the hackers have ''cojones'' and ''Blitzkrieg'' in their dictionaries. [[Special:Contributions/141.101.104.53|141.101.104.53]] 13:03, 4 December 2014 (UTC)