explain xkcd - User contributions [en]

Talk:936: Password Strength

2024-12-25T19:29:21Z

172.69.222.69:

''Fix the software first.'' If you double the time it takes to enter each repeated password attempt you make brute force attacks pointless. Imagine you allowed a hurried user who screws up their own password entry w/ frozen fingers. If their system starts out with a 1 second delay, then doubles to two, then to four, etc. the time it takes to wait is 2^n. Six screw ups cost you a minute, twenty errors and you are waiting 291 hours before your next log-in attempt.... kmc 2015-05-10 {{unsigned ip|108.162.229.124}}
: That's not how brute force attacks work. They steal the hashes of the passwords and then brute force them locally. [[Special:Contributions/198.41.235.107|198.41.235.107]] 23:43, 10 January 2016 (UTC)
:: Both are brute force. It is specified in the comic that we assume an attack against a weak remote web service though. --[[Special:Contributions/162.158.150.231|162.158.150.231]] 13:10, 16 September 2016 (UTC)

You still have to vary the words with a bit of capitalization, punctuation and numbers a bit, or hackers can just run a dictionary attack against your string of four words. '''[[User:Davidy22|{{Color|purple|David}}y²²]]'''[[User talk:Davidy22|<tt>[talk]</tt>]] 09:12, 9 March 2013 (UTC)
: Several discussions around the internet around this -- the consensus [ http://www.explainxkcd.com/wiki/index.php/936 looks like] that once this scheme is published it is fairly simple to run a dictionary attack on the password. My advise to most people is to use a password manager like lastpass or onepass that can generate pure random password. [[Special:Contributions/162.158.253.6|162.158.253.6]] 23:52, 10 March 2016 (UTC)

No you don't. Hackers cannot run a dictionary attack against a string of four randomly picked words.
Look at the number of bits displayed in the image: 11 bits for each word.
That means he's assuming a dictionary of 2048 words, from which each word is picked randomly.
The assumption is that the cracker knows your password scheme.
[[Special:Contributions/86.81.151.19|86.81.151.19]] 20:17, 28 April 2013 (UTC) Willem
:I just wrote a program to bruteforce this password creation method. https://github.com/KrasnayaSecurity/xkcd936/blob/master/listGen936.py Once I get it I'll try coming up with more bruteforcing algorithms such as substituting symbols, numbers, camel case, and the like. Point is, don't rely on this or any one method. I wouldn't be surprised if the crackers are already working on something like this. [[User:Lieutenant S.|Lieutenant S.]] ([[User talk:Lieutenant S.|talk]]) 07:03, 8 September 2014 (UTC)
:It took 1.25 hours to bruteforce "correcthorsebatterystaple" using the 2,000 most common words with one CPU. [[User:Lieutenant S.|Lieutenant S.]] ([[User talk:Lieutenant S.|talk]]) 07:09, 9 September 2014 (UTC)
:: 1) ... as compared to 69 milliseconds for the other method. 2) Since you are able to test 3,9 billion passwords as second (very impressive!) I am guessing that your setup is not performing its attack over a ”weak remote service”, which is breaking the rules of the #936 game. 3) five words and a 20k-wordlist would get you 9400 years (still breaking the weak remote service rule).--[[User:Gnirre|Gnirre]] ([[User talk:Gnirre|talk]]) 09:13, 14 October 2014 (UTC)
:: 2) Two thoughts: You use itertools.permutations, which only covers non-repeating words, but mainly you don't actually hash the password. If you have a plain-text password, there no need to crack the password because you could just look at it. Example of an actual crack for this type of password: https://github.com/koshippy/xkcd_password/blob/master/password_crack.py My computer gets 10,000,000 guesses in ~16 seconds (non-hashed takes ~2 seconds), meaning it would take almost a year to try every combination. (2048^4 total password space). Even optimizing by using c++/java or JtR, you wouldn't see huge improvement since most of the time is from the SHA hashing. Point being: a typical user can't crack this type of password in a short amount of time, even if they know your wordlist. [[Special:Contributions/199.27.128.212|199.27.128.212]] 12:05, 17 February 2015 (UTC) Koshippy

Sometimes this is not possible. (I'm looking at you, local banks with 8-12 character passwords and PayPal) If I can, I use a full sentence. A compound sentence for the important stuff. This adds the capitalization, punctuation and possibly the use of numbers while it's even easier to remember then Randall's scheme. I think it might help against the keyloggers too, if your browser/application autofills the username filed, because you password doesn't stand out from the feed with being gibberish. [[Special:Contributions/195.56.58.169|195.56.58.169]] 09:01, 30 August 2013 (UTC)

The basic concept can be adapted to limited-length passwords easily enough: memorize a phrase and use the first letter of each word. It'll require about a dozen words (you're only getting 4.7 bits per letter at best, actually less because first letters of words are not truly random, though they are weakly if at all correlated with their neighbors -- based on the frequencies of first letters of words in English, and assuming no correlation between each first letter and the next, I calculate about 4 bits per character of Shannon entropy). SteveMB 18:35, 30 August 2013 (UTC)

Followup: The results of extracting the first letters of words in sample texts (the {{w|Project_Gutenberg|Project Gutenberg}} texts of ''The Adventures of Huckleberry Finn'', ''The War of the Worlds'', and ''Little Fuzzy'') and applying a {{w|Entropy_(information_theory)|Shannon entropy calculation}} were 4.07 bits per letter (i.e. first letter in word) and 8.08 bits per digraph (i.e. first letters in two consecutive words). These results suggest that first-letter-of-phrase passwords have approximately 4 bits per letter of entropy. --[[User:SteveMB|SteveMB]] ([[User talk:SteveMB|talk]]) 14:21, 4 September 2013 (UTC)

Addendum: The above test was case-insensitive (all letters converted to lowercase before feeding them to the [[http://millikeys.sourceforge.net/freqanalysis.html frequency counter]]). Thus, true-random use of uppercase and lowercase would have 5 bits per letter of entropy, and any variation in case (e.g. preserving the case of the original first letter) would fall between 4 and 5 bits per letter. --[[User:SteveMB|SteveMB]] ([[User talk:SteveMB|talk]]) 14:28, 4 September 2013 (UTC)

I just have RANDOM.ORG print me ten pages of 8-character passwords and tape it to the wall, then highlight some of them and use others (say two down and to the right or similar) for my passwords, maybe a given line a line a little jumbled for more security. [[Special:Contributions/70.24.167.3|70.24.167.3]] 13:27, 30 September 2013 (UTC)
:Remind me to visit your office and secretly replace your wall-lists by a list of very similar looking strings ;) --[[User:Chtz|Chtz]] ([[User talk:Chtz|talk]]) 13:53, 30 September 2013 (UTC)

Simple.com (online banking site) had the following on it’s registration page:

“Passphrase? Yes. Passphrases are easier to remember and more secure than traditional passwords. For example, try a group of words with spaces in between, or a sentence you know you'll remember. "correct horse battery staple" is a better passphrase than r0b0tz26.”

Online security for a banking site has been informed by an online comic. Astounding.
[[Special:Contributions/173.245.54.78|173.245.54.78]] 21:22, 11 November 2013 (UTC)

The Web service Dropbox has an Easter egg related to this comic on their sign-up page. That page has a password strength indicator (powered by JavaScript) which changes as you type your password. This indicator also shows hints when hovering the mouse cursor over it. Entering "Tr0ub4dor&3" or "Tr0ub4dour&3" as the password causes the password strength indicator to fall to zero, with the hint saying, "Guess again." Entering "correcthorsebatterystaple" as the password also causes the strength indicator to fall to zero, but the hint says, "Whoa there, don't take advice from a webcomic too literally ;)." [[Special:Contributions/108.162.218.95|108.162.218.95]] 15:17, 11 February 2014 (UTC)

The explanation said that the comic uses a dictionary[http://www.explainxkcd.com/wiki/index.php?title=936:_Password_Strength&oldid=59309]. In fact it's a word list, which seems similar but it's not. All the words in the word list must be easy to memorize. This means it's better not to have words such as ''than'' or ''if''. Also, it's better not to have homophones (''wood'' and ''would'', for example). The sentence ''dictionary attack'' doesn't apply here. A dictionary attack requires the attacker to use all the words in the dictionary (e.g. 100,000 words). Here we must generate the 17,592,186,044,416 combinations of 4 common words. Those combinations can't be found in any dictionary. At 25 bytes per "word" that dictionary would need 400 {{w|tebi|binary terabytes}} to be stored. [[User:Xhfz|Xhfz]] ([[User talk:Xhfz|talk]]) 21:37, 11 March 2014 (UTC)

This comic was mentioned in a TED talk by Lorrie Faith Cranor on in March 2014. After performing a lot of studies and analysis, she concludes that "pass phrase" passwords are no easier to remember than complex passwords and that the increased length of the password increases the number of errors when typing it. There is a lot of other useful information from her studies that can be gleaned from the talk. [http://www.ted.com/talks/lorrie_faith_cranor_what_s_wrong_with_your_pa_w0rd Link]. What she doesn't mention is the frequency of changing passwords - in most organizations it's ~90 days. I don't know where that standard originated, but (as a sys admin) I suspect it's about as ineffective as most of our other password trickery - that is that it does nothing. Today's password thieves don't bash stolen password hash tables, they bundle keyloggers with game trainers and browser plugins.--[[Special:Contributions/173.245.50.75|173.245.50.75]] 18:14, 2 July 2014 (UTC)
:: Lorrie Faith Cranor gets the random part of #936 word generation correct, which is great. Regarding memorizability, this study (https://cups.cs.cmu.edu/soups/2012/proceedings/a7_Shay.pdf) does not address #936. The study uses no generator for gibberish of length 11. Most comparable are perhaps two classes of five or six randomly assigned characters. None of the study's generators has 44 bits of entropy – its dictionary for the method closest to #936 – noun-instr – contains only 181 nouns. The article contains no discussion of the significance of these differences to #936. In her TED Lorrie Faith Cranor says ”sorry all you xkcd fans” which could be interpreted as judgement of #936, but there is no basis in the above article for that. It does however seem plausible that the report could be reworked to address #936. --[[User:Gnirre|Gnirre]] ([[User talk:Gnirre|talk]]) 10:42, 14 October 2014 (UTC)

:Password-changing frequency isn't about making passwords more ''secure'', but instead it's about ''mitigating the damage'' of a successfully cracked password. If a hacker gets your password (through any means) and your password changes every 90 days, the password the hacker has obtained is only useful for a few months at most. That might be enough, but it might not. If the hacker is brute forcing the passwords to get them, that cuts into the time the password is useful. --[[Special:Contributions/173.245.54.168|173.245.54.168]] 22:22, 13 October 2014 (UTC)
::However, brute-forcing gets much ''easier'' that way.
::Say the average employee is around for 10 years, which is reasonable for some companies , absurdly high for others, and a bit low for a family business. That's 40 password changes.
::Now if you have to remember another password every now and then, you sacrifice complexity, lest you forget it. A factor of 40 is like one character less. But how much shorter will the password be? It's more likely that it's gonna be 3 or 4 characters less. Congrats, you just a factor of 1000's for a perceived "mitigation", which doesn't even work. Pro attackers can vacuum your server in a DAY once they have the PW. [[Special:Contributions/141.101.104.53|141.101.104.53]] 13:03, 4 December 2014 (UTC)

Just because you are required to have a password that has letters and numbers in it doesn't mean you can't make it memorable. When caps are required, use CamelCase. When punctuation is required, make it an ampersand (&) or include a contraction. When numbers are required, pick something that has significance to you (your birthday, the resolution of your television, ect.). Keep in mind that, if your phrase is an actual sentence, the password entropy is 1.1 bits per character (http://what-if.xkcd.com/34), so length is key if you want your password to be secure. (Though no known algorithm can actually exploit the 1.1 bits of entropy to gain time, so it might be more like 11 bits of entropy per word. Even then, my passwords have nonexistent and uncommon words in them, (like doge or trope), which also adds some entropy.) [[Special:Contributions/108.162.246.213|108.162.246.213]] 22:18, 1 September 2014 (UTC)
:Flip side of the story, the "capital plus small plus other char" policy doesn't make your password any safer.
:The German company T-online had an experimental gateway with the password, "internet". Now that sucked. No problem, tho, because that gateway wasn't accessible from outside. When they went live, they "improved" the password to "Internet1". There are still lots of these passwords around: first letter is a Cap, and the only non-alphabetic char is a 1 at the end. This doesn't add any entropy. [[Special:Contributions/141.101.104.53|141.101.104.53]] 13:03, 4 December 2014 (UTC)
::[http://ask.metafilter.com/193052/Oh-Randall-you-do-confound-me-so#2779020 This] shows that about one third of all digits in a sample of passwords was "1" . [[Special:Contributions/141.101.104.53|141.101.104.53]] 13:14, 4 December 2014 (UTC)
You can also troll the brute-force engine by using words from other languages, fictional books and video games.--[[User:Horsebattery|Horsebattery]] ([[User talk:Horsebattery|talk]]) 03:04, 3 November 2014 (UTC)
:That's a good idea; it adds to the entropy bits per word. If you really want to throw them off, mix different languages. Just don't use very well-known words; I'm sure the hackers have ''cojones'' and ''Blitzkrieg'' in their dictionaries. [[Special:Contributions/141.101.104.53|141.101.104.53]] 13:03, 4 December 2014 (UTC)

Also, passwords that are 'hard to remember' are themselves a security vulnerability. A password reset scheme (or even a lockout scheme) is a vulnerability. The more it needs to be used, the harder it becomes to police that vulnerability. Relatedly, hard-to-remember passwords leave users uncertain whether their password has been changed by someone else or they've just forgotten it. [[User:Ijkcomputer|Ijkcomputer]] ([[User talk:Ijkcomputer|talk]]) 15:32, 18 December 2014 (UTC)

Hi there, this comic gave me the idea for a password generator that can (optionally) use dictionary words. Have a look if you're interested: https://wordypasswords.com Use your common sense though about what is and isn't secure! Hope someone finds it useful. [[User:Mackatronic|Mackatronic]] ([[User talk:Mackatronic|talk]]) 08:23, 9 January 2015 (UTC)

I have not read all of the replies and in truth most of the detail is boring to me but it has occurred to me that with this sort of problem and since the Snowden affair, serious security devices will have to make the keyboard redundant.

At the moment all I can imagine is a series of pictures like hieroglyphs but even using a rolling code of ever changing font glyphs would do. When the security required by money minders reaches the stage of development possible with keyboards that can supply that sort of security, we will have some idea which banks have some idea about security.

Tip:
Not Barings. They have an history of intransigence and stupidity. (Still revered in banks though as able to cure colon cancer with poor investment strategies.) [[User:Weatherlawyer| I used Google News BEFORE it was clickbait]] ([[User talk:Weatherlawyer|talk]]) 13:46, 23 January 2015 (UTC)

The D0g..................... (24 characters long) is NOT stronger than PrXyc.N(n4k77#L!eVdAfp9 (23 characters long). The reason why, is that the later password is random. There is no pattern. The former, "padding" technique can be very easily cracked. You just need to assume that each character be repeated 1~30 times. Then the first password would become : 1(D)1(0)1(g)21(.), which, is then of complexity 30^4 + 96^4, versus 96^23 for the random password. And that is assuming that any character can be repeated 1~30 times, so DDDDDDDDD0000000ggggggg...... also would be cracked extremely quickly. If you limit yourself to only last character padding, your password now becomes 30*96^4 possibilities. {{unsigned ip|108.162.222.235}}

And that's why it is stupid to explain this kind of joke : it depends on many (MANY) parameters such as brute-force method and encryption/hash algorithm. Giving this kind of (wrong) explanations about "pass cracking" (as if it was always the same way to process ...) is ridiculous. And they talk about entropy .......... Holy shit, go back to school and stop screwing cryptography up. zM_ {{unsigned ip|163.245.49.126|21:41, 18 June 2015 (UTC)}}

I just use a password with a ␡ character or two, and ␇ for banks. [[Special:Contributions/108.162.242.21|108.162.242.21]] 08:33, 18 August 2015 (UTC)

I'am astonished that even someone like Schneier don't get 936 right immediately after reading it. So, I think I know what was going on in Munroes mind conceptually. Maybe there are some grans of salt, but I don't have a problem with these. But I do have one (or two) quantitative problem(s) with 936:
* I was not able to find out, how Munroe get the value of about 16 bits of entropy for the "uncommon" nine letter lower case "non-gibberish base word". This would mean: On average, a letter of such a word will have about 1.8 bits of entropy. May be, but how do we know? "Citation needed!" ;-)
* (Secondly: The "punctuation" should have 5, not 4 bits of entropy. There are 32 (2^5) ASCII punctuation characters (POSIX class [:punct:]). But I assume this is a lapse.)
Can someone enlighten me? --[[Special:Contributions/162.158.91.236|162.158.91.236]] 17:31, 19 September 2015 (UTC)
:I have missed the sentence "Randall assumes only the 16 most common characters are used in practice (4 bits)". Hm. There is a huge list with real world passwords out there, leaking from RockYou in 2009. After some processing to remove passwords containing characters that are not printable ASCII characters (ñ, £, ๅ, NBSP, EOT, ...), the list contains about 14329849 unique passwords from about 32585010 accounts (there are some garbage "passwords" like HTML code fragments). The following are the number of accounts using a password containing a particular printable character (one or more tokens of a particular type):
<nowiki>
226673 .
186883 _
179264 !
125846 -
104224 @
95237 *
92802 (space)
60002 #
36522 /
31172 $
28550 &
27686 ,
23905 +
18704 =
18268 )
17927 ?
16401 (
16074 '
14407 ;
11819 <
11118 %
10723 ]
8975 \
7718 [
7209 :
5815 ~
5673 ^
4995 `
2847 "
2741 >
1050 {
939 }
502 |

(NB: 1222815 accounts were using a password containing at least one of these.)
</nowiki>
:Sorry, I have no "citation". But you can play with the leaked RockYou password list yourself. Here is a way to reach that playground:
<nowiki>
$ # Download the compressed list (57 MiB; I have no idea what "skullsecurity"
$ # is, it was simply the first find and I assume it's the said list):
$ wget http://downloads.skullsecurity.org/passwords/rockyou-withcount.txt.bz2

$ # Decompress the list (243 MiB), or, to speak more exact, it's a table:
$ bzip2 -dk rockyou-withcount.txt.bz2

$ # The content of the table is: "How many accounts (first row) were using that
$ # password (second row)?" Let's take a peek:
$ head -n5 rockyou-withcount.txt
290729 123456
79076 12345
76789 123456789
59462 password
49952 iloveyou

$ # The following command processes the table to remove lines with passwords
$ # containing characters that are not printable ASCII characters (14541
$ # lines/passwords, 18038 accounts), and lines insisting that there were some
$ # accounts with no password (1 line, 340 accounts). Moreover, the command
$ # removes every space character not belonging to a password, makes the rows
$ # tab-delimited and writes the result in a file called "ry" (161 MiB; many
$ # bloating spaces removed).
$ LC_ALL=C sed -n 's/^ *$[1-9][0-9]*$ $[[:print:]]\{1,\}$$/\1\t\2/p' rockyou-withcount.txt >ry

$ # The following are shell functions to build commands. They will be explained
$ # below using examples (I can not express myself well in this language).
$ counta() { LC_ALL=C awk 'BEGIN { FS = "\t"; p = 0; a = 0 } { if ($2 ~ /'"$(printf %s "$1" | sed 'sI/I\\/Ig')"'/) { p++; a += $1 } } END { print a " (" p ")" }' "$2" ;}
$ countap() { LC_ALL=C awk 'BEGIN { FS = "\t"; p = 0; a = 0 } { if ($2 ~ /'"$(printf %s "$1" | sed 'sI/I\\/Ig')"'/) { p++; a += $1; print $0 } } END { print a " (" p ")" }' "$2" ;}

$ # We have reached the playground. Here are some examples for how to use the
$ # toys:

$ # Count how many accounts were using a password containing the string love:
$ counta 'love' ry
671599 (188855)

$ # The first operand of the above command is a extended regular expression
$ # (ERE). The second operand is a file, namely the previously generated file
$ # called "ry", that is the (processed) table. The first number of the output
$ # means: "That many accounts were using a password matching the ERE." The
$ # second number inside parentheses means: "That many unique passwords matching
$ # the ERE." If the first number is greater than the second number, some
$ # accounts sharing the same password (we will see this clearly in one of the
$ # examples below).

$ # Count how many accounts were using a password containing at least one
$ # character:
$ counta '.' ry
32585010 (14329849)

$ # Count how many accounts were using a password containing exactly one
$ # character:
$ counta '^.$' ry
144 (45)

$ # Count how many accounts were using a password containing exactly one numeric
$ # character:
$ counta '^[0-9]$' ry
55 (10)

$ # Let's have a look at the distribution:
$ countap '^[0-9]$' ry
29 1
6 7
6 3
3 9
3 2
2 6
2 5
2 0
1 8
1 4
55 (10)

$ # Obove we see the second command at work. You see what it does and what it
$ # does different. And here we see clearly the meaning of the first number and
$ # the second number inside parentheses.

$ # Count how many accounts were using a password containing at least one
$ # numeric character:
$ counta '[0-9]' ry
17609065 (9761364)

$ # Count how many accounts were using a password ending with a numeric
$ # character:
$ counta '[0-9]$' ry
15728238 (8313698)

$ # Count how many accounts were using a password beginning with a numeric
$ # character:
$ counta '^[0-9]' ry
6409397 (3283946)

$ # Count how many accounts were using a password containing only numeric
$ # characters:
$ counta '^[0-9]+$' ry
5192990 (2346744)

$ # And, last but not least, count how many accounts were using a password
$ # containing that "uncommon non-gibberish base word" in 936, with an upper
$ # or an lower case first letter, with or without some of the "common
$ # substitutions":
$ counta '[tT]r[o0]ub[a4]d[o0]r' ry
3 (3)

$ # Yes, there are some. 14 million unique passwords are a lot. Let's see what
$ # exactly was used:
$ countap '[tT]r[o0]ub[a4]d[o0]r' ry
1 troubador1
1 troubador
1 darktroubador
3 (3)
</nowiki>
:[[Special:Contributions/162.158.91.236|162.158.91.236]] 06:23, 21 September 2015 (UTC)

Interesting read about the generated password streangth: https://www.schneier.com/blog/archives/2016/01/friday_squid_bl_508.html#c6714590 [[Special:Contributions/162.158.91.190|162.158.91.190]] 08:09, 8 January 2016 (UTC)

: That person sounds confused. [[Special:Contributions/198.41.235.107|198.41.235.107]] 23:43, 10 January 2016 (UTC)

;You've Already Memorized It

Originally I logged in to report a local xkcd related phenomenon, and ask if anyone else had experienced it. The destiny, seemingly inescapable, that at once became my own upon seeing that last panel; the effect of the self-fullfilling combination of the very specific look of inquiry -- one I recognize immediately and associate with the words ''"interesting, Captain"'' -- and the insidiously performative ''"You've already memorized it."'' At first I doubted this was actually the case, but soon I could no longer, since not only did the phrase readily come to the mind and out the mouth, it also came up often. The ''"correct"'' soon replaced the word ''"right"'' in everyday conversation, then ''"right you are"'' and ''"yes"'' and so forth, then its opposite (with a ''"no"'' in front), then replacing the direction, the verb involving pen and paper (the most recent development was merely a quick under the breath aside of an acronym of the remaining words). All followed by the rest of the absurdly perfect password. '''Now here's the kicker: I logged on to tell you all this for some reason, only to find, I had memorized ''"correct horse staple battery"'' instead of ''"correct horse battery staple."'''''[[User:A female faust|A female faust]] ([[User talk:A female faust|talk]]) 03:58, 31 July 2016 (UTC)

:If you go to https://howsecureismypassword.net/ and type in the suggested password in the comic, it says that the password would be cracked instantly, and adds a section titled "xkcd".
[[Special:Contributions/162.158.62.195|162.158.62.195]] 14:18, 11 February 2017 (UTC)

Would you believe it, the guy who made the bad password rules switched his philosophy to this comic's: "Long, easy-to-remember phrases now get the nod over crazy characters" "In a widely circulated piece, cartoonist [[Randall Munroe]] calculated it would take 550 years to crack the password “correct horse battery staple,” all written as one word. The password Tr0ub4dor&3—a typical example of a password using Mr. Burr’s old rules—could be cracked in three days" [[User:Jacky720|That's right, Jacky720 just signed this]] ([[User talk:Jacky720|talk]] | [[Special:Contributions/Jacky720|contribs]]) 11:57, 8 August 2017 (UTC)

The 44 bits of entropy breaks down rapidly when you realize in real life, most people will choose a passphrase that contains words like "pass", "phrase", "remember", "long", "company" and quite likely "stupid". It's the passphrase equivalent of "password123". If the words are selected randomly and then assigned to a person, that would fix that problem (but create others, like mistrust of a computer that assigns passwords for you to log into that same computer with). [[User:Nerfer|Nerfer]] ([[User talk:Nerfer|talk]]) 21:19, 11 October 2019 (UTC)

There is one aspect which has been left out the whole time. I do not question things like wordlist length, entropy, or substitutions. However, doing shoulder surfing will either reveal a full password or in parts. A full password should not be topic of discussion. In the case of partial success, it is in the proposed method far easier to guess the rest of the password than in the traditional one. [[User:CommingFromTheSide|CommingFromTheSide]] ([[User talk:CommingFromTheSide|talk]]) 15:16, 5 November 2019 (UTC)

As for "author's 28 bits mistake". I believe that Randall does mean the common lexicon with mangling substitutions. That means that counterexample "J4I/tyJ&Acy" does have 72bits, but nonetheless is irrelevant to character/personage strategy of choosing a memorable yet strong password. [[Special:Contributions/172.68.215.113|172.68.215.113]] 13:17, 23 February 2020 (UTC)

Ah... this reminds me of one of my old password.

> It had quote.

> It had comments.

> There were "10e9 characters". (Don't worry, as much as it length backfired, if you types fast, you could type by hand in less than 5 minutes)

> It had typo.

> It had hints of itself in itself.

--[[Special:Contributions/172.68.154.70|172.68.154.70]] 08:22, 8 April 2020 (UTC)

Ah yes, now Microsoft has disabled plaintext words in passwords. I can see where they were trying to go with this but it completely backfired for everyone who doesn't use the password "password". -[[User:Alpha2|Alpha2]] ([[User talk:Alpha2|talk]]) 15:20, 13 October 2021 (UTC)

This scheme (four words) was used for the default wifi and admin passwords on a T Mobile wireless home internet gateway received on 2022-Jun-23 --[[Special:Contributions/172.70.175.146|172.70.175.146]] 14:51, 27 June 2022 (UTC)

The best password/passphrase should be something that has meaning to you and only you; for example, I used to use the password NurseSlutButt, which came from working at an office where the manager had one of his walls covered with the employees' personal memorabilia and one of those was a 1959 newspaper clipping about the new matron of a local orphanage, so that phrase developed from idly staring at the clipping and thinking about her and how she looked in the accompanying photo. I never told anyone about that password until now. Also, introduce deliberate mis-spellings: that makes it harder to crack, even if the attacker guesses the word. That was probably the intent behind the "numbers & symbols" rule in the first place, back before Unicode existed and computer users were limited to what was on their keyboard. [[Special:Contributions/172.71.215.11|172.71.215.11]] 23:37, 17 November 2023 (UTC)

guy guys i have an idea: "correcT horsE batterY staplE exkcdponent 2," {{unsigned ip|172.68.118.25|16:00, 11 June 2024}}

Basically, use '''truely random''', 100-symbols worth passwords with alpha-numeric-special-characters if you '''truely''' don't want to get hacked. And i apologize for everyone who don't have eidetic memory. --[[Special:Contributions/172.69.222.69|172.69.222.69]] 19:29, 25 December 2024 (UTC)

2954: Bracket Symbols

2024-07-04T13:51:20Z

172.69.222.69: Try to explain title text

{{comic
| number = 2954
| date = July 3, 2024
| title = Bracket Symbols
| image = bracket_symbols_2x.png
| imagesize = 592x569px
| noexpand = true
| titletext = ’"‘”’" means "I edited this text on both my phone and my laptop before sending it"
}}

==Explanation==
{{incomplete|Created by a ([{《"complicated function"》}]) - Please~~ change this comment when editing this page. Do *NOT* delete this tag too soon.}} WAKE UP, NERDS! Come explain to me why this is funny!

'The preliminary nerd has arrived and did his best to fix the article.' (Even though I'm not British, I thought it might be funny to reference the comic. {See what I did there?} )

Bracket symbols are meant to put around a text. This comic shows a variety of bracket symbols and Randall's description.
Here is a list of what these symbols may mean as a preliminary to a full proper explanation: (feel free to update or completely replace this)

The title text includes different kinds of quotes, including the ASCII " and ', and Unicode “” (which have both an opening and closing version).
Phones and laptops often have different input systems, and one of them may use a different kind of quote, thus mixing inconsistent quotes together, something most people may not notice or understand.

{| class="wikitable"
|+Descriptions
|-
! Symbols
! Comic text
! Real use
! Explanation of the joke
|-
|()
|Regular parentheses for setting stuff aside
|Used to mark side remarks (like explanations) in regular text. Also used in mathematical expressions and programming languages to show the sequence of operations or separate other things like function arguments.
|Normal parentheses. No joke here.
|-
|[]
|Square brackets (more secure)
|Used in regular text to mark still less important remarks, like glosses, omissions, translator and editorial notes etc. In mathematics, often used for {{w|Matrix (mathematics)|matrices}} or {{w|Interval (mathematics)|closed intervals}}. Sometimes used as outer parentheses for easier visual matching in complicated expressions. In programming languages used to mark specific syntactic elements, like array indexes, lists etc.
|The sharper edges and corners may suggest these brackets hold things in more securely, so the contents is less likely to fall out. They resemble staples used to hold things in place securely.
|-
|{}
|This stuff is expensive so be careful with it
|Rarely used in normal text, although may be used in expanded form to 'enclose' multiple optional lines following/preceding a single element of common purpose (similar to the 'split and recombined tracks' of [[2243: Star Wars Spoiler Generator]]). In mathematics, usually used to denote {{w|Set (mathematics)|sets}}, but other usage is possible. In programming languages most often used to denote begin and end of a separate block of code, but other uses are also extant.
|All that graphical detail in the bracket, if manufactured as a physical object, would increase the production cost making it more expensive than "regular" brackets. Their relative rarity compared to "regular" or square brackets might also increase the monetary value. They may also look 'fancy', like gates with ornate ironwork.
|-
|Inward-sloping double-quotes ("" with reflective slants, or “”)
|Someone is talking
|Used to denote speech or citations in normal text. The first version is commonly used in programming languages to denote text that is not a program, such as messages displayed to the user.
|Normal quotation marks. Some languages or communities use different typographical conventions such as „German quotation marks“. See also below for British and French.
|-
|Inward-sloping single-quotes (based upon <nowiki>''</nowiki> or ‘’)
|Someone British is talking
|British quotation marks. Some programming languages use the first version to denote non-program text. In the Pascal family of languages, for example, <nowiki>''</nowiki>s indicate character-class data, with ""s being string-class data. Within
|Some British media use these to note when people are talking, though in modern usage the double quotes above are more common, while single quotes are more often used as '{{w|scare quotes}}'.
|-
|‹› or <>
|An Animorph is talking
|{{w|Bracket#Angle_brackets|Angle brackets}}. Aside from telepathic speech in prose, it's often used in comics to indicate that a character is speaking a foreign language that has been translated for the reader's benefit – at least notionally.
|Books like the series {{w|Animorphs}} or science fiction novels use these when a character is communicating nonverbally, for example via telepathy.
|-
|«»
|A French Animorph is talking
|French quotation marks. Used for quotes within quotes in some languages. For quoting conventions in different languages, see [https://op.europa.eu/en/web/eu-vocabularies/formex/physical-specifications/character-encoding/use-of-quotation-marks-in-the-different-languages this document].
|These symbols are literally called French quotation marks and are used in French texts as the first-level quotes. Here Randall is mixing the SF convention described above with actual French use.
|-
|<nowiki>|</nowiki>|
|I'm scared of negative numbers but these sigils will protect me
|Vertical bars in mathematics are used for the Absolute Value function.
|The absolute value of a number is its value with all negative and positive signs stripped off; in practical terms this is used to ensure a given value is positive (ex. <nowiki>|-69| = 69</nowiki>). If for whatever reason you need to "protect" your equations from negative numbers (which does come up in programming from time to time) the absolute value function has you covered — though it may not always be denoted with vertical bars. {{w|Sigil}}s are symbols used in magic, and some kinds of magic are thought to protect people from evil.
|-
|**, __, //
|I have a favorite monospaced font
|These symbols are conventionally used in text-based computer communications (such as emails, chats, Usenet News articles) to denote *bold*, _underlined_, or /italic/ font; some client programs interpret them and displayed actual bold text etc.
|{{w|Monospace font}} is a font (set of shapes used for letters, numbers and symbols) in which every character has the same width, unlike {{w|Typeface#Proportional_font|variable-width (proportional) font}}, in which the letter I is much narrower than W. While proportional font is more pleasant to read, monospace is easier to represent in simple mechanical or electronic devices, and has been used almost exclusively in the advent of computer technology, specifically in text-only environments such as {{w|computer terminals}}; these most often had only one factory installed font. Today, a person still using these symbols is probably using a {{w|terminal emulator}}, which allows to select a (preferably monospace) font from a wide set of fonts installed in the operating system.
|-
|~~
|I'm being sarcastic and I had a Tumblr account in 2014
|
|Strikethrough markup commonly used on sites like Tumblr to indicate that you don't really mean something you said. This is a somewhat archaic trend, but I still use it...
|-
|[([{()}],)]
|These Python functions are not getting along
|The square brackets denote a mutable [https://docs.python.org/3/tutorial/introduction.html#lists list], the round brackets an immutable [https://docs.python.org/3/tutorial/datastructures.html#tuples-and-sequences tuple] , and the curly brackets a [https://docs.python.org/3/tutorial/datastructures.html#sets set]. It is valid to have nested them like this. [] could also be a slice (a bit of a list or tuple) and {} could be a [https://docs.python.org/3/tutorial/datastructures.html#dictionaries dictionary], but the syntax is wrong for these.
|Random parentheses - Spaghetti code (badly maintained or written) in programming languages including Python will often be badly organized creating a mess of indentations and brackets used to create functions or loops etc.
|-
|⌊⌋
|Help, I'm a mathematician trying to work with actual numbers and they're scary
|Mathematical symbols meaning "floor" (i.e. round down to the nearest lower integer).
|By "actual numbers" Randall means {{w|real number}}s. Unlike {{w|natural number}}s, they are somewhat difficult to understand to a person learning basic mathematics and thus "scary". The "floor" operation makes a (positive) real number a natural number, thus not "scary".
|-
|∫ ∫
|Why are you trying to read my violin?
|There is currently no such type of bracketing used in typography. See Explanation.
∫ looks like the {{w|Integral symbol}} which itself is derived from a {{w|Long s}}. In mathematics it is usually paired with the differential of the variable of integration (e.g., dx). A reverse integral symbol is usually not used in mathematics.
The symbols could also be a lowercase {{w|Esh (letter)}} and its reversed symbol.
|Violins are known for their characteristic {{w|F-hole}}s.
|-
|<nowiki>|⟩</nowiki>
|Don't stop here–this is quantum country
|This {{w|Bra–ket notation|notation is used in quantum mechanics}} to notate a vector. This is called a ket, and the mirrored sign <nowiki>⟨|</nowiki> is called a bra. Combining them as bra-ket gives the inner product <nowiki>⟨|⟩</nowiki>.
| This is paraphrasing "Fear and Loathing in Las Vegas" where Johnny Depp says: "We can't stop here, this is bat country!" while wasted on drugs, though not as wasted as later in the movie.
|}


==Transcript==
{{incomplete transcript|Do NOT delete this tag too soon.}}

Bracket Symbols

and what they mean

( ) Regular parentheses for setting stuff aside

[ ] Square brackets (more secure)

{ } This stuff is expensive so be careful with it

" " Someone is talking

' ' Someone British is talking

‹ › An Animorph is talking

« » A French Animorph is talking

| | I'm scared of negative numbers but these sigils will protect me

<nowiki>*</nowiki> * _ _ / / I have a favorite monospaced font

~ ~ I'm being sarcastic and I had a Tumblr account in 2014

[ ( [ { ( ) } ] , ) ] These Python functions are '''''not''''' getting along

⌊ ⌋ Help, I'm a mathematician trying to work with actual numbers and they're scary

ʃ ʅ Why are you trying to read my violin?

| ⟩ Don't stop here--this is quantum country

{{comic discussion}}

[[Category:Language]]
[[Category:Math]]
[[Category:Programming]]
[[Category:Animorphs]]

2952: Routine Maintenance

2024-06-30T16:25:49Z

172.69.222.69: /* Explanation */ corrected typo

{{comic
| number = 2952
| date = June 28, 2024
| title = Routine Maintenance
| image = routine_maintenance_2x.png
| imagesize = 299x413px
| noexpand = true
| titletext = The worst was the time they accidentally held the can upside down and froze all the Earth's magma chambers solid.
}}

==Explanation==
{{incomplete|Created by an ONCOMING LETHAL DUST CLOUD - Please change this comment when editing this page. Do NOT delete this tag too soon.}}

A recommended routine maintenance step for many electronics, such as desktop computer towers, is to remove the buildup of dust on a regular basis. This bit of routine maintenance can help prevent the electrical components from overheating, and lengthen the lifetime of these electronics. There exists {{w|Gas duster|cans}} of high-pressure gas, as depicted, to blow dust out without a person blowing themselves, thus allowing them to keep their distance and not get a faceful of dust, or adding unintended moisture to the electronics.

This is suggesting that this is a maintenance step performed on the Earth itself, blowing gas into the Earth to force out the dust. However, filling the atmosphere with dust would be unhealthy and fatal to living beings, so as a safety measure everyone would have to take shelter.

This may be a reference to one theory about the K-T extinction event, that a crashing meteor sent so much dust into the air that it killed off many plants and animals including all non-avian dinosaurs in a much wider area than were directly affected by the initial impact. Those lineages that chanced to survive the global effects (including our own mammalian ancestors, and the avian dinosaurs that led to todays birds) must have been able to escape the worst of the disrupted ecosphere, perhaps some of them by already being more inclined/suited to living in burrows while the worst of the atmospheric effects subsided and let them exploit various newly vacant (and/or changed) environmental niches. However, this dust cloud would have lasted longer than the 48 hours name in the comic.

The image suggests that the "routine maintenance" for Earth would involve using the {{w|Hawaii hotspot}} (possibly via its most active volcano, {{w|Kilauea}}), as the point to insert the high-pressure gas, causing volcanoes to erupt in Iceland, the {{w|Aleutian Islands}} or the {{w|Kamchatka Peninsula}}, the {{w|Andes}}, and elsewhere; the two geographically-indeterminate plumes may represent Italy and Indonesia.

The title text mentions using the can upside-down, and this freezing solid the magma chambers. Pressurised canisters of air, as with similar aerosol sprayers, make use of a propellant gas that condenses into a liquid when compressed. When the spray valve is opened, the release of pressure allows some of the liquid to evaporate and take the place of the released gases, or become some of the gas subsequently released (or all of it, if its purpose is not to spray other contents). The transition of the propellant liquid/gas from dense liquid to space-filling gas requires it to 'boil off', this process needing to pick up {{w|Enthalpy of vaporization|heat (or 'enthalpy') energy}}. Under typical operation, the cooling liquid/gas takes heat from the general mass of the can itself as it tries to attain thermal equilibrium. As a result, the can (and the expelled gases) will be cooled a little. Then (ultimately) heat will also be taken from anything touching or surrounding the slightly cooled can and its spray. This is precisely how a purposeful refrigerant acts, either as a one-time process or as a reversible cycle where repressuring a suitable gas can 'release' heat (the heat/enthalpy of condensation) at the 'hot side' of a refrigerator, returning the gas in the system to liquid that it can later let boil again and cool the 'cold side' of the refrigerator.

It is not normally useful for such a can to allow the liquid propellant-in-waiting to exit the container, as it would waste its usefulness as a source of pressure once it does. But by holding the container the wrong way up (which way that is being dependant upon its design, and intended use...) the pressurised contents push the liquid out via the nozzle's stream. The now exposed propellant is now free to evaporate into the air at atmospheric pressure, typically much lower than the constraints it had within the can, after landing directly upon whatever the can was sprayed at. The resulting demand for heat energy (much more rapid than normal, and likely concentrated upon a much smaller target than the can itself represents) produces a greater localised drop in temperature and can lead to freezing nearby liquids (which may or may not be intended/useful). Of course, the total 'cooling effect' of such a can does not change, depending upon how it is (mis)used, it merely changes the extent (and lifetime) of application, and how extreme the temperature change may be within a much more limited 'liberation' of its cooling ability.

Spraying canned "air" in reverse is a party trick used to very quickly cool beverages, being able to bring them down from room temperature to ice cold in seconds, if performed correctly. Some 'spray cans' are ''designed'' to let you freeze things (e.g. to help in plumbing repairs) or safely chill surfaces (e.g. for first-aid purposes), but these are exceptions (that require judicious use) and generally it is a wasteful use of a spray-can, if not actually unwise.

Given the location of the planetary-scale dust-busting 'air canister', it may be considered confusing which 'way up' is the correct orientation, given that Earth-gravity would be pulling the contents sideways (however that changes what the nozzle ends up ejecting from the can itself). But such as large can would also have its own significant internal 'can-centric' gravity that possibly (depending upon how full of still-liquid propellant it is) exceeds that of the Moon, possibly letting all the denser liquid hold itself into the centre of the canister, even against the nearby Earth's gravity. Being significantly closer to the Earth than the Moon is, this can could also be a far greater influence upon Earth's own tides (not alluded to in the comic), making the dusting of the atmosphere or the freezing of some of its magma secondary issues to the sheltering population.

==Transcript==
{{incomplete transcript|Do NOT delete this tag too soon.}}

:[The nozzle of a "Dust-Off" (compressed air) gas duster can is pointing into a hole on the Earth's surface in the Pacific Ocean around where Hawaii is located, and its trigger is pressed as an arrow indicates, resulting in dust clouds being released from five visible spots of the Earth. These eruptions can be seen in the Aleutian Islands or Kamchatka Peninsula, Iceland, the Andes, and two further in the eastern hemisphere on the other side of the Earth.]

:[Caption below the panel:]
:I know routine maintenance is important, but I hate how we all have to take shelter for 48 hours every year while they flush out the Earth's magma system for cleaning.

{{comic discussion}}

[[Category:Geology]]

1361: Google Announcement

2024-04-21T06:16:55Z

172.69.222.69: change dead link to an archive one

{{comic
| number = 1361
| date = April 28, 2014
| title = Google Announcement
| image = google_announcement.png
| titletext = The less popular 8.8.4.4 is slated for discontinuation.
}}

==Explanation==
At the time of this comic's release, {{w|Vic Gundotra}} had recently left {{w|Google}}. Because he was the head of {{w|Google+}}, this had caused many people, including [http://techcrunch.com/2014/04/24/google-is-walking-dead/ TechCrunch], to theorize that Google+ was going to be shut down, despite the continuing comments from Google that it would remain active and updated. It lasted five more years, finally being closed on April 2nd, 2019.

Google has a history of {{w|List of Google products#Discontinued products and services|closing popular services}}.

The comic extrapolates this to an announcement that Google would be closing '''all''' its popular services, up to and including its e-mail service, Gmail, and even the core business of the company, its Internet search engine, to wholly concentrate on a relatively obscure part of its product lineup. According to Google, its Public {{w|Name server|DNS servers}} (Domain Name System servers), better known by their IPv4 addresses {{w|8.8.8.8|8.8.8.8 and 8.8.4.4}}, are supposed to be a faster alternative to using one's ISP's DNS servers (because of caching effects due to a large user base), as well as less susceptible to censorship. When Turkey started blocking access to Twitter and YouTube in March 2014, Turkish ISPs first did this on the DNS level by manipulating the results from their own name servers. The most popular workaround was using Google's DNS server instead, so much so that its address was written as [https://web.archive.org/web/20220125171629/https://www.gawker.com/turkish-graffiti-spreads-the-ip-addresses-of-googles-d-1548946312 graffiti on the side of a building].

The joke may also be related to the fact that 8.8.8.8 is an IP address heavily used by network administrators to perform connectivity tests (''ping'') because it is easy to remember and fast to type. Google would want to concentrate on this feature to build a business model using that fact.

The reason behind this decision may be that Google considers a DNS server, a fairly low-level component of the Internet's service stack, to be the optimal place to collect information on its users, an accusation leveled at Google ever since it introduced the service.

The title text refers to the impression held by some that Google will shut down services that prove less popular than desired at short notice, even though they may in fact have a significant user base. A recent example of that is the closure of the RSS aggregation service, Google Reader, in July 2013. While the same DNS service is provided under both addresses, the more memorable 8.8.8.8 is likely to receive far more requests than 8.8.4.4.

==Transcript==
:[Cueball is standing at a lectern marked Google.]
:Cueball: The rumors are true. Google will be shutting down Plus—
:Cueball: Along with Hangouts, Photos, Voice, Docs, Drive, Maps, Gmail, Chrome, Android, and Search—
:Cueball: To focus on our core project:
:Cueball: The 8.8.8.8 DNS Server.

==Trivia==
*Google quickly responded with an acknowledgment to a query for "xkcd". The TXT record for the DNS name of the IP address 8.8.8.8 was set to "http://xkcd.com/1361/", an entry just meant to be informal.

{{comic discussion}}
[[Category:Comics featuring Cueball]]
[[Category:Internet]]
[[Category:Public speaking]]
[[Category:Google]]
[[Category:Google Plus]]