Main Page

Explain xkcd: It's 'cause you're dumb.
Revision as of 23:05, 16 October 2016 by Davidy22 (talk | contribs) (Test)
Jump to: navigation, search

Welcome to the explain xkcd wiki!
We have an explanation for all 2175 xkcd comics, and only 11 (1%) are incomplete. Help us finish them!

Latest comic

Go to this comic explanation

How Hacking Works
If only somebody had warned them that the world would roll them like this.
Title text: If only somebody had warned them that the world would roll them like this.


Ambox notice.png This explanation may be incomplete or incorrect: Created by One of the Sharper Tools in the Shed. Please mention here why this explanation isn't complete. Do NOT delete this tag too soon.

In similar spirit to 538: Security, this comic deals with how many people perceive hacking and security best practices, and how it differs from the actual reality. Specifically, the comic points out the flaw in the argument of some security-minded people that writing passwords down on a sheet of paper is a massive operational security vulnerability, not accounting for the threat model of the general public: reused passwords being leaked from seemingly benign places.

While it is true that storing passwords on paper is generally a bad idea, one has to keep in mind the alternatives—password reuse or unencrypted password documents on a computer—that non-technical people might otherwise engage in. These are far easier to exploit for a casual attacker that goes for quantity over quality.

The second panel goes into detail how such an attack is usually executed: First, a database containing usernames/emails and associated passwords or insufficiently salted password hashes is stolen from an improperly secured website. Randall's example uses a fictional breach of a small forum dedicated to the band Smash Mouth, but even large companies are not immune to leaks. Assuming the passwords were not hashed, the crooks then go on and automatically try to log in to a popular payment service, Venmo, with the harvested credentials. Even though the success rate might be just fractions of a percent, due to the scale and cheapness of the attack (which can be automated, requiring no sustained effort from the crooks), it is likely still profitable. Such an attack has previously been discussed in 792: Password Reuse.

Although writing passwords on paper can allow users to create unique complex passwords without being limited by human memory, and therefore protect themselves from these sorts of mass-breach attacks, their passwords are now more vulnerable to insider attacks by e.g. family members, close friends, or co-workers.

The way recommended by most security experts to prevent these kinds of attacks is to use a password manager - a secure application that stores all of your passwords in an encrypted vault that only you can access. This way, you only need to remember one password - the master password to your vault - and all of your other passwords can be as long, different, and random as you like. This means that even if a crook manages to get one of your passwords, they won't be able to use it to access any other sites, and so the attack shown in the comic would fail. Websites can also support two-factor authentication, where the user must supply a randomly changing code from a second device, such as a cell phone application or standalone keyfob, to log in.

The title text is referring to Smash Mouth's song "All Star," where the first line of the lyrics is "Somebody once told me the world is gonna roll me." The singer subsequently admits that he is not "the sharpest tool in the shed," which would be consistent with re-using simple passwords across multiple accounts (including financial accounts).


Ambox notice.png This transcript is incomplete. Please help editing it! Thanks.
[Two panels with a caption below each panel:]
[Panel 1 - Three masked characters standing near a desk with a computer inside a home]
Masked Character 1 [holding a walkie-talkie]: Control, we have flown to the USA and breached the target's house.
Masked Character 2: They wrote all their passwords in a book labeled "Passwords"!
Masked Character 3: The fool!
[Caption below the panel:]
How people think hacking works
[Panel 2 - Two Cueball-like characters, each sitting on opposite sides of a single desk with laptops in front of them]
Cueball 1: Hey look, someone leaked the emails and passwords from the Smash Mouth message boards.
Cueball 2: Cool, let's try them all on Venmo.
[Caption below the panel:]
How it actually works

Is this out of date? Clicking here will fix that.

New here?

Last 7 days (Top 10)

Lots of people contribute to make this wiki a success. Many of the recent contributors, listed above, have just joined. You can do it too! Create your account here.

You can read a brief introduction about this wiki at explain xkcd. Feel free to sign up for an account and contribute to the wiki! We need explanations for comics, characters, themes and everything in between. If it is referenced in an xkcd web comic, it should be here.

  • There are incomplete explanations listed here. Feel free to help out by expanding them!
  • We sell advertising space to pay for our server costs. To learn more, go here.


Don't be a jerk.

There are a lot of comics that don't have set-in-stone explanations; feel free to put multiple interpretations in the wiki page for each comic.

If you want to talk about a specific comic, use its discussion page.

Please only submit material directly related to (and helping everyone better understand) xkcd... and of course only submit material that can legally be posted (and freely edited). Off-topic or other inappropriate content is subject to removal or modification at admin discretion, and users who repeatedly post such content will be blocked.

If you need assistance from an admin, post a message to the Admin requests board.