1820: Security Advice

2017-04-05T15:28:25Z

Lurrch: /* Security Tip Explanations */ I clarified the section about special characters.

{{comic
| number = 1820
| date = April 5, 2017
| title = Security Advice
| image = security_advice.png
| titletext = Never give your password or bank account number to anyone who doesn't have a blue check mark next to their name.
}}

==Explanation==
{{incomplete|Incomplete. TBD:Complete tip explanations Do NOT delete this tag too soon.}}

The comic depicts a conversation between [[Cueball]] and [[Ponytail]], discussing the fact that giving people security advice has failed to improve their internet security, and in some cases even made things worse (such as requiring complicated passwords leading to people leaving post-it notes with their passwords on their screen, leading to huge security risks). As a result Cueball suggests {{w|reverse psychology|giving bad advice instead}}, in hopes of a positive effect. The last panel contains a list these security tips, which are parodies of actual security tips.

The issue of passwords and computer security was covered in [http://www.explainxkcd.com/wiki/index.php/936:_Password_Strength 936: Password Strength].

The last tip on the image is most likely a reference to Ingmar Bergman's film [https://en.wikipedia.org/wiki/The_Seventh_Seal#Synopsis The Seventh Seal].

===Security Tip Explanations===
{| class="wikitable"
!Security Tip
!Explanation
|-
|Don't click links to websites
|The usual tip is "Don't click on ''suspicious'' website links." The comic's variation instead implies don't click on any links to any websites, or don't use the internet.
|-
|Use prime numbers in your password
|Long prime numbers are an essential part of modern cryptography and security systems, but don't have any effect when being used in passwords, except for maybe being harder to remember. In addition, if people were to regularly use prime numbers in their passwords, it would actually make passwords ''easier'' to guess, as it would substantially shrink the search space.
|-
|Change your password manager monthly
|It is often recommended to change passwords on a regular basis. However, changing password managers monthly would be quite impractical.
|-
|Hold your breath while crossing the border
|This in its self, wouldn't do anything, but if you hold your breath for too long you could pass out when crossing, or look stressed/suspicious. Overall, this would not help you.
|-
|Install a secure font
|A real tip might be "Install a secure browser" especially when many people used [https://en.wikipedia.org/wiki/Internet_Explorer_6 Internet Explorer 6]. Using a different font on a computer would not help one's internet security.
|-
|Use a 2-factor smoke detector
|A new way to keep accounts secure is 2-factor authentication, which usually means you enter your password, and then look for an email (or go into a mobile app) with a code which you then enter into the website. A 2-factor smoke detector would be useless, because it would require you to verify that there is actually a fire with a code, when the purpose of smoke detectors are to warn you about fires you ''don't'' know about.
|-
|Change your maiden name regularly
|The usual tip is to change your passwords regularly. Some password recovery procedures ask for a security question, like "what is you maiden name" (which is the family name that you were born with). Since it acts as a second password, it should also be changed regularly. Changing it, however, would be very difficult or even impossible, even more so on a regular basis. Also, maiden names and other trivia typically asked by security questions are not secret, so they are inherently not secure.
A real tip for dealing with security questions would be to enter false data.
|-
|Put strange USB drives in a bag of rice overnight
|The usual security tip is "Don't plug strange USB drives into your computer," because sometimes attackers put viruses that infect your system when plugged in. This tip implies that you should "put USB drives in a bag of rice overnight" which is a common technique for drying out water damaged devices, due to rice's absorbent qualities. This would not clean the drive of viruses, and unless the drive was wet (perhaps because you found it outside due to it being called "strange") it would not do anything.
|-
|Use special characters like & and %
|You can use special characters to increase the entropy/strength of your password, though as describe in [http://www.explainxkcd.com/wiki/index.php/936:_Password_Strength xkcd 936], that often leads to passwords that are hard to remember but not particularly strong. The password context is missing here, and in everyday situations the characters & and % are not special.
|-
|Only read content published through Tor.com
|[https://en.wikipedia.org/wiki/Tor_(anonymity_network) Tor] is a software solution to provide anonymity on the web for its users. The website [https://tor.com Tor.com] is the website of fantasy and sci-fi book publisher Tor, which has no relation to the Tor-network.
|-
|Use a burner's phone
|A play on using a burner phone (a cheap/disposable cell phone like those purchased at 7-11, often used for drug deals or other activity one might not want traced), and using the cell phone of a burner, i.e. a person who goes to the the Burning Man festival.
|-
|Get an SSL certificate and store it in a safe place
|SSL/TLS is a protocol for securing connections on the internet. To check if someone is who he claims to be you can check the individuals certificate. Such a certificate has to be public, storing it in a safe place makes the certificate useless. You have to store the private key that matches the certificate in a safe place, else someone could steal the identity.
|-
|If a border guard asks to examine your laptop, you have a legal right to challenge them to a chess game for your soul.
|This tip is likely a reference to Ingmar Bergman's film [https://en.wikipedia.org/wiki/The_Seventh_Seal#Synopsis The Seventh Seal]
|-
|Never give your password or bank account number to anyone who doesn't have a blue check mark next to their name. (Title Text)
|The usual security tip here is ''"only trust accounts claiming to be legitimate if they have a blue check mark next to their name"'', which means that the account is verified as legitimate. This tip suggests only giving your ''password'' to verified accounts, although you shouldn't give your password to ''any'' account.
|}

==Transcript==
{{incomplete transcript|Do NOT delete this tag too soon.}}

:Ponytail: We've been trying for decades to give people good security advice.
:Ponytail: But in retrospect, lots of the tips actually made things worse.

:Cueball: Maybe we should try to give ''bad'' advice?
:Ponytail: I guess it's worth a shot.

:Security tips
:(Print out this list and keep it in your bank safe deposit box.)
* Don't click links to websites
* Use prime numbers in your password
* Change your password manager monthly
* Hold your breath while crossing the border
* Install a secure font
* User a 2-factor smoke detector
* Change your maiden name regularly
* Put strange USB drives in a bag of rice overnight
* Use special characters like & and %
* Only read content published through Tor.com
* Use a burner's phone
* Get an SSL certificate and store it in a safe place
* If a border guard asks to examine your laptop, you have a legal right to challenge them to a chess game for your soul.

{{comic discussion}}

explain xkcd - User contributions [en]

1820: Security Advice