1200: Authorization

Explain xkcd: It's 'cause you're dumb.
Revision as of 14:32, 17 April 2013 by (talk) (Explanation: Why especially on windows? It's pretty much the same on both os's)
Jump to: navigation, search
Before you say anything, no, I know not to leave my computer sitting out logged in to all my accounts. I have it set up so after a few minutes of inactivity it automatically switches to my brother's.
Title text: Before you say anything, no, I know not to leave my computer sitting out logged in to all my accounts. I have it set up so after a few minutes of inactivity it automatically switches to my brother's.


Computer operating systems were initially written for the business environment. Thus they were made to be accessible to multiple employees, or users, but only fully accessible to administrators (or admins). Regular users can access and use programs on the computer, but only the admin is allowed to make changes to how the computer runs. This same split level of security continues to this day, even in privately owned, or "home", computers.

The joke here is that the most important things on a computer are no longer the programs that it runs, but the private personal data it accesses (usually online). Anyone who wished to do real mischief on an active computer could do considerable damage without ever caring what the admin password was. The admin password, in effect, now guards a vault no one cares about.

This comic pokes fun at the authorization mechanisms surrounding most operating systems' administrator accounts. It makes the argument that the user's data is more valuable than the integrity of the system. (This is arguably true for most personal systems, although it is probably not true in a shared-server setup, where a system compromise could lead to the exposure of many users' data.)

Essentially, once a user is logged in, he or she can typically access all of his or her data without any further restriction. Modifying the operating system (for example, to install drivers) requires a separate password.


[Diagram showing several connected rooms. One in the center says "User account on my laptop," surrounded by "Dropbox," "Photos & files," "Facebook," "Gmail," "PayPal," and "Bank," which are connected to the middle room and to each other. Below the middle room is one labeled "Admin account," which is covered in spikes, and has a door to the room above it.]
If someone steals my laptop while I'm logged in, they can read my email, take my money, and impersonate me to my friends, but at least they can't install drivers without my permission.

comment.png add a comment! ⋅ comment.png add a topic (use sparingly)! ⋅ Icons-mini-action refresh blue.gif refresh comments!


This is the reason that I set sudo to not prompt for a password. I just make sure my computer locks itself aggressively. 06:59, 17 April 2013 (UTC)

The admin account should still be guarded EXACTLY for the ability to install drivers. The driver you don't want to have installed is keylogger stealing your passwords. I mean, you don't have your bank password remembered in browser, do you? Still, auto-logout or auto-lock is important feature. You should also set-up and use separate account for high-risk activities (like opening emails from unknown persons promising naked celebrities ... ok, you actually shouldn't be opening such emails at all, but if you are really curious ...). -- Hkmaly (talk) 09:06, 17 April 2013 (UTC)

Even if you can log into your bank account, you could not transfer money without authorizing transactions. BKA (talk) 11:23, 17 April 2013 (UTC)
My bank account website logs me out if I'm inactive for 10 minutes. It doesn't even leave the page up, it switches to a login screen. 14:35, 17 April 2013 (UTC)
I wonder how useful a keylogger would be if you never typed a username or e-mail to go with the password. Every important account I have has that remembered, and I just type the password. It sounds like it would be zero context. 15:09, 17 April 2013 (UTC)
Except usernames tend to be reasonably easy to figure. E-mails certainly are what with folks tending to broadcast their e-mail addresses to everyone. So passwords, although also often not overly difficult to crack (http://xkcd.com/936/), remain the part not generally known. Not worrying about a keylogger picking up a password, even "out of context" would be a mistake. 17:11, 17 April 2013 (UTC)
Also, modern keyloggers (despite still being called keyloggers) also capture screen and mouse movement. They are perfectly able to record a password entered by clicking on keyboard on screen and many other ideas tried to complicate keylogging. -- Hkmaly (talk) 22:48, 17 April 2013 (UTC)

Actually, for many years popular operating systems such as MS Windows did *not* have separate security for system administration, which made it very popular for the propagation of viruses and other malware. And once it was introduced, it wasn't enforced for many years. Only relatively recently this is happening, and still viruses, trojan horses and botnets thrive, because it is slightly inconvenient for the user to act safe(r). 13:13, 19 April 2013 (UTC)

Not agree with Randall on this one. Laptop stealing is very physical, there are way to keep people from physically able to use our active login session, such as make sure the laptop is physically secured when possible, make sure the screen locked out when we are away (we can automate that using bluetooth detection), etc. Root password protect another kind of attack, generally more clandestine one, such as trojan and rootkit installations, which can be more dangerous as we may not be aware it is there. Arifsaha (talk) 17:06, 6 May 2013 (UTC)

Not going to agree. I use lastpass for passwords, have every (important) site protected with 2fac, and firefox wipe all my userdata everytime I close it, so even if a keylogger is installed, or they have physical access to my device, they can't get to my personal information. So that covers Facebook, Gmail, Paypal, and the Bank. Everything else is encrypted