Editing 2176: How Hacking Works

Jump to: navigation, search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision Your text
Line 10: Line 10:
 
In similar spirit to [[538: Security]], this comic deals with how many people perceive hacking and security best practices, and how it differs from the actual reality. Specifically, the comic points out the flaw in the argument of some security-minded people that writing passwords down on a sheet of paper is a massive {{w|OPSEC|operational security}} vulnerability, not accounting for the {{w|threat model}} of the general public: reused passwords being leaked from seemingly benign places.
 
In similar spirit to [[538: Security]], this comic deals with how many people perceive hacking and security best practices, and how it differs from the actual reality. Specifically, the comic points out the flaw in the argument of some security-minded people that writing passwords down on a sheet of paper is a massive {{w|OPSEC|operational security}} vulnerability, not accounting for the {{w|threat model}} of the general public: reused passwords being leaked from seemingly benign places.
  
βˆ’
The first panel shows a group of masked men, who have apparently flown to the US from a different country and broken into someone's house. They find a book labeled "Passwords" that contains all the passwords of their target, and one reports this using a {{w|walkie-talkie}}, while another remarks that the target is a fool for writing down their passwords. While it is true that storing passwords on paper is generally a bad idea, one has to keep in mind the alternatives—password reuse or unencrypted password documents on a computer—that non-technical people might otherwise engage in. These are far easier to exploit for a casual attacker that goes for quantity over quality.  In addition, given the larger group of potential attackers are the remote attackers, storing passwords on a piece of paper, while horrible for security from a local "in person" attacker, is actually pretty effective against a remote attacker being able to gather up your passwords.
+
The first panel shows a group of masked men, who have apparently flown to the US from a different country and broken into someone's house. They find a book labeled "Passwords" that contains all the passwords of their target, and one reports this using a {{w|walkie-talkie}}, while another remarks that the target is a fool for writing down his passwords. While it is true that storing passwords on paper is generally a bad idea, one has to keep in mind the alternatives—password reuse or unencrypted password documents on a computer—that non-technical people might otherwise engage in. These are far easier to exploit for a casual attacker that goes for quantity over quality.  In addition, given the larger group of potential attackers are the remote attackers, storing passwords on a piece of paper, while horrible for security from a local "in person" attacker, is actually pretty effective against a remote attacker being able to gather up your passwords.
  
 
The second panel goes into detail how such an attack is usually executed: First, a database containing usernames/emails and associated passwords or insufficiently salted password hashes is stolen from an improperly secured website. Randall's example uses a fictional breach of a small forum dedicated to the band {{w|Smash Mouth}}, but even large companies are not immune to leaks. Assuming the passwords were not hashed, the crooks then go on and automatically try to log in to a popular payment service, {{w|Venmo}}, with the harvested credentials. Even though the success rate might be just fractions of a percent, due to the scale and cheapness of the attack (which can be automated, requiring no sustained effort from the crooks), it is likely still profitable. Such an attack has previously been discussed in [[792: Password Reuse]].
 
The second panel goes into detail how such an attack is usually executed: First, a database containing usernames/emails and associated passwords or insufficiently salted password hashes is stolen from an improperly secured website. Randall's example uses a fictional breach of a small forum dedicated to the band {{w|Smash Mouth}}, but even large companies are not immune to leaks. Assuming the passwords were not hashed, the crooks then go on and automatically try to log in to a popular payment service, {{w|Venmo}}, with the harvested credentials. Even though the success rate might be just fractions of a percent, due to the scale and cheapness of the attack (which can be automated, requiring no sustained effort from the crooks), it is likely still profitable. Such an attack has previously been discussed in [[792: Password Reuse]].

Please note that all contributions to explain xkcd may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see explain xkcd:Copyrights for details). Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following CAPTCHA:

Cancel | Editing help (opens in new window)