Talk:1820: Security Advice

Explain xkcd: It's 'cause you're dumb.
Revision as of 22:46, 6 April 2017 by 162.158.111.211 (talk)
Jump to: navigation, search


Secret questions are not 2-factor authentication (2FA). They are just a really shitty password, something that you know. --JakubNarebski (talk) 14:33, 5 April 2017 (UTC)

Secret questions are more like 0-factor authentication, since they typically ask for public data. Shirluban 141.101.88.106 14:39, 5 April 2017 (UTC)

Even when it isn't public it is often very unsecure - like: "your password has to have upper and lower case letters, numbers" and other requirements - if you forget it just enter the brand of your first car, there are about 20 likely answers (make it 40 if you need to additionally see wether or not it has been capitalized) 162.158.92.46 15:18, 5 April 2017 (UTC)


Use prime numbers in your password: this would only limit the number of possible passwords for a hacker to check.

Use special characters like & and % : this advice is thoroughly handled in https://xkcd.com/936/ Changing characters into a special one does adds just very little to the search space. However, a video from Computerphile suggests inserting a random character somewhere in the password which might actually be rather helpful

162.158.111.211 14:53, 5 April 2017 (UTC)

Maybe you really should use a secure font Font related bug 162.158.79.161 15:13, 5 April 2017 (UTC)

Should the blue check mark tip be noted as only being useful on Twitter? Usually, the advice doesn't apply to emails, which are significantly more likely to ask for your less-secret account details, but also significantly less likely to have a blue check mark. 162.158.2.10 15:15, 5 April 2017 (UTC)

"If a border guard asks to examine your laptop, you have a legal right to challenge them to a chess game for your soul.", do any of you know exactly what is the original advice here? This is probably different in different countries, but if I recall correctly you can't prevent them from seizing your device, but you are not required to provide them your passwords (but they may give you a hard time or deny your entry if you are not a citizen). Anyone can confirm this? 108.162.216.22 15:16, 5 April 2017 (UTC)


The rice trick doesn't even work for wet phones. http://www.gazelle.com/thehorn/wp-content/uploads/2014/05/Water-Damage-Prevention-and-Recovery.pdf 162.158.111.211 15:33, 5 April 2017 (UTC)

Yeah - beat me to it! The rice trick doesn't work...not for phones or anything else for that matter. So this is double bad advice. 162.158.69.39 16:06, 5 April 2017 (UTC)

Border guard - I'd like to see a bit more explanation, please, on how Ingmar Berman's film shows a man playing chess with Death, and possibly the infamous subversion of this trope in Bill And Ted's Bogus Journey. As it is, the explanation is only the bare bones. --172.68.34.52 17:35, 5 April 2017 (UTC)

Checking the padlock icon in your browser is not enough to make sure you're really connected to the site you think. You have to check the domain too, to make sure you're not on a typosquatter domain (e.g. explianxkcd.com instead of explainxkcd.com). For really important thing like banking, you should check for an Extended Validation Certificate (Firefox shows the name of the organization running the website beside the padlock to indicate an EV-Certificate). This means, that the CA checked if the website operator really is who he pretends to be (and take a hefty sum of money for the process). Yeah, i know, security isn't easy. Using the brain still can't be replaced. --162.158.202.160 20:14, 5 April 2017 (UTC)


These two characters are often disallowed in passwords because of their relevance to SQL (a common database query language). A badly written security system using SQL could have severe bugs (and vulnerabilities) if these characters were used in a password. So instead of fixing the bugs, users are kindly requested/forbidden to use & and % because that would break the system? Relying on empathy instead of fixing the problem, similar to "please don't break in, we're too poor to afford a decent lock". Sounds like Black Hat in a role as security advisor could come up with. 162.158.111.211 21:01, 5 April 2017 (UTC)

I once saw a funny notification at a login screen. It read: "Only log on if you are an authorized user". Hilarious... Elektrizikekswerk (talk) 13:03, 6 April 2017 (UTC)


"Turing-complete kerning specification language in OpenType fonts" needs a citation. Is this just referring to the TeX language in general?

"the US banking system, where there is very little security for direct account drafts, and because of that it is advised there to keep the account number as secret as possible. In contrast, in Europe..." also needs citation. Why is giving out your bank account number more secure in Europe? I googled around a bit but couldn't find any verification of this (aside from discussions on chips vs. magnetic strips, which is a different issue). --Tractarian (talk) 17:29, 6 April 2017 (UTC)

From experience, here in the UK, if I wanted someone to transfer money to me online, I just give them my account number and routing (or "sort") code. People even publish this information on websites.

Specifically, a lot of the rules here place liability on the banks for fraudulent and unauthorised transactions as long as the consumer wasn't careless or breached the rules of their account.

See https://www.directdebit.co.uk/DirectDebitExplained/pages/directdebitguarantee.aspx https://www.chequeandcredit.co.uk/information-hub/faqs/cheque-fraud

But I can't imagine how anyone could initiate a transaction from my account without forging a document or hacking my online banking details (for electronic transfers).--162.158.111.37 19:33, 6 April 2017 (UTC)

Yeah from my, Dutch, view that part also seems strange. Like "I'm not telling you my e-mail address so you can't read my e-mail". Also, anyone you ever sent money to gets to know your account number don't they? After that, can they just walk into a bank saying "Hi I'm John, account number 12345, give me $5000 please"? I'd like a comic showing my accountnumber to test how I'd be hurt by telling the whole world :) It gets stranger, in order to get a refund to my credit card I not only had to give my credit card number but the expiry date as well. I always considered the expiry date as a very simple password to prove you have the card itself. This felt more like "You wouldn't want total strangers to put money on your account, would you?" (thinking about it, maybe it's used as a "checksum"). 162.158.111.211 22:35, 6 April 2017 (UTC)