Main Page

Explain xkcd: It's 'cause you're dumb.
(Difference between revisions)
Jump to: navigation, search
Line 1: Line 1:
__NOTOC__{{DISPLAYTITLE:explain xkcd}}
__NOTOC__{{DISPLAYTITLE:explain xkcd}}
<font size=5px>''Welcome to the '''explain [[xkcd]]''' wiki!''</font>
Today, the wiki is in read-only mode to allow for a hosting migration.  Please enjoy reading all our xkcd explanations.
Today, the wiki is in read-only mode to allow for a hosting migration.  Please enjoy reading all our xkcd explanations.
<font size=5px>''Welcome to the '''explain [[xkcd]]''' wiki!''</font>
We have an explanation for all [[:Category:Comics|'''{{#expr:{{PAGESINCAT:Comics|R}}-13}}''' xkcd comics]],
We have an explanation for all [[:Category:Comics|'''{{#expr:{{PAGESINCAT:Comics|R}}-13}}''' xkcd comics]],
<!-- Note: the -13 in the calculation above is to discount subcategories (there are 8 of them as of 2013-02-27),
<!-- Note: the -13 in the calculation above is to discount subcategories (there are 8 of them as of 2013-02-27),

Revision as of 13:12, 29 October 2013

Today, the wiki is in read-only mode to allow for a hosting migration. Please enjoy reading all our xkcd explanations. Welcome to the explain xkcd wiki! We have an explanation for all 1 xkcd comics, and only 0 (0%) are incomplete. Help us finish them!

Latest comic

Go to this comic explanation

New Bug
There's also a unicode-handling bug in the URL request library, and we're storing the passwords unsalted ... so if we salt them with emoji, we can close three issues at once!
Title text: There's also a unicode-handling bug in the URL request library, and we're storing the passwords unsalted ... so if we salt them with emoji, we can close three issues at once!


Ambox notice.png This explanation may be incomplete or incorrect: How does salting with emoji fix the unicode-handling bug in the URL request library? Does it really? Additionally, this explanation requires a thorough grammar and spelling fix from the fourth paragraph onward.

Cueball asks if an off-panel character can look at his bug report. The person asks if it's a "normal one" and not a "horrifying" one which "proves that the whole project is broken beyond repair and should be burnt to the ground". This implies that there have been reports of the "horrifying" variety in the past.

Cueball promises that it is a normal one but it turns out that the server crashes when a user's password is a resolvable URL, which implies that the server is in some way attempting to resolve passwords as if they were URLs. A resolvable URL is one that is syntactically correct and refers to a find-able and accessible resource on the internet (i.e. does not return a 404 error or equivalent when resolved). This can be because it contains a fully qualified domain name or a valid ip address, and optionally (in either case) a resource that exists on the destination server.

Also, Cueball specifically states that the server is crashing, rather than his application. While this could be an example of misused terminology on the part of Cueball or Randall, given Cueball's history his choice of terms is probably accurate. In the context of web services the server refers to either the computer itself or the program that responds to web requests and executes the user's (i.e. Cueball's) application. Cueball would be in charge of building the application. The importance of this distinction is that a typical system has safe guards in place at many levels to prevent a misbehaving application from crashing anything other than itself. So for his application to crash the server (either the computer itself or the server software hosting his application) would require his application to be operating in a way far outside of the norm. Alternatively, the project might include its own server software without the safeguards.

While there appears to be little reason for the code that processes passwords to attempt to resolve the input string as a URL, a common function in password programs is assessing the strength of a password using a combination of heuristics to test for uniqueness, length, good use of mixed characters and dictionary lookups for common words. This password function would appear to have extended the lookups to DNS names and URLs, so people choosing a password like "" would be given a low strength score, even though no part of it is a dictionary word and it contains both upper case, lower case and punctuation. However, accessing the internet in a function like password validation opens up not only the possibility of new bugs like the one mentioned, but also a completely new set of issues which are risky for a security function such as password checking. Realising the proliferation of new security issues, the off-panel person gives up and decides that burning the project to the ground is the only solution, telling Cueball I'll get the lighter fluid.

In the title text another two issues with Cueball's program are mentioned, together with a possible solution that would fix all three problems at once. The second problem is a unicode-handling bug in the URL request library, and the third is that the passwords are stored unsalted. Salting passwords increases security in the event that the database is compromised by ensuring that users with the same password will not have the same password hash. This makes some attacks that can be used to crack hash databases, such as rainbow tables, effectively impossible.

The proposed solution is to salt the passwords with emoji, which is claimed to solve all three issues at once. Emoji are unicode (multi-byte) characters, which would force the resolution of the unicode-handling bug. It's not clear how emoji in the salt would lead to a fix for the URL bug, because although emoji are not valid characters in URLs (and the server only crashes on resolvable URLs) they would only be present in the hash string, not in the cleartext password. But at least the passwords will now be salted.

Given that this comic comes only five comics after 1695: Code Quality 2 it seems likely that the off-panel person is Ponytail and as could be seen in the first of those two comics, 1513: Code Quality, the perpetrator is indeed Cueball. In the title text of the first, using emoji in variable names is mentioned.

In 1349: Shouldn't Be Hard Cueball is also programming and finding it very difficult, although he thinks it should be easy. An off-panel person suggests burning the computer down with a blowtorch, much like the off-panel person in this one suggests burning the whole project (including the computer) to the ground with lighter fluid. In the next comic, with multiple storylines 1350: Lorenz, one story line results in a computer being burned with a blow torch.


[Cueball sits at his desk in front of his computer leaning back and turning away from it to speak to a person off-panel.]
Cueball: Can you take a look at the bug I just opened?
Off-panel voice: Uh oh.
[Zoom out and pan to show only Cueball sitting on his chair facing away from the computer, which is now off-panel. The person speaking to him is still of panel even though this panel is much broader.]
Off-panel voice: Is this a normal bug, or one of those horrifying ones that prove your whole project is broken beyond repair and should be burned to the ground?
[Zoom in on Cueballs head and upper torso.]
Cueball: It's a normal one this time, I promise.
Off-panel voice: OK, what's the bug?
[Back to a view similar to the first panel where Cueball has turned towards the computer and points at the screen with one hand.]
Cueball: The server crashes if a user's password is a resolvable URL.
Off-panel voice: I'll get the lighter fluid.

Is this out of date? Clicking here will fix that.

New here?

Last 7 days (Top 10)

Lots of people contribute to make this wiki a success. Many of the recent contributors, listed above, have just joined. You can do it too! Create your account here.

You can read a brief introduction about this wiki at explain xkcd. Feel free to sign up for an account and contribute to the wiki! We need explanations for comics, characters, themes, memes and everything in between. If it is referenced in an xkcd web comic, it should be here.

  • List of all comics contains a table of most recent xkcd comics and links to the rest, and the corresponding explanations. There are incomplete explanations listed here. Feel free to help out by expanding them!
  • If you see that a new comic hasn't been explained yet, you can create it: Here's how.
  • We sell advertising space to pay for our server costs. To learn more, go here.


Don't be a jerk. There are a lot of comics that don't have set in stone explanations; feel free to put multiple interpretations in the wiki page for each comic.

If you want to talk about a specific comic, use its discussion page.

Please only submit material directly related to —and helping everyone better understand— xkcd... and of course only submit material that can legally be posted (and freely edited). Off-topic or other inappropriate content is subject to removal or modification at admin discretion, and users who repeatedly post such content will be blocked.

If you need assistance from an admin, post a message to the Admin requests board.

Personal tools


It seems you are using noscript, which is stopping our project wonderful ads from working. Explain xkcd uses ads to pay for bandwidth, and we manually approve all our advertisers, and our ads are restricted to unobtrusive images and slow animated GIFs. If you found this site helpful, please consider whitelisting us.

Want to advertise with us, or donate to us with Paypal?