Talk:1700: New Bug

Explain xkcd: It's 'cause you're dumb.
Revision as of 09:54, 29 June 2016 by Hkmaly (talk | contribs)
Jump to: navigation, search

I'm new. For the explanation: A bug, as in a computer (programming) bug, can be reported and tracked, and many systems allow collaboration on the reporting and tracking of problems, or bugs, in code, and their solutions. Cueball reported a problem (bug) he found in the code, which presumably caused the server (program)—which he wrote as part of his project—to try to read the passwords as URLs before storing them. This exposes serious cross-site scripting attacks and other serious security vulnerabilities, and since handling password and user account information usually requires a lot of programming, this would be difficult to fix, which is why the character off-panel suggests burning the project down, as that would be much easier, and would solve any security problems, much more quickly than fixing the bug would. The comment text refers to Cueball's horrid solution to a horrid problem: Instead of solving the problem that is causing the server to read passwords as URLs, he can instead leverage a known problem in the programme which reads URLs which prevents it from reading a particular way of representing text in binary form, by adding a few characters to the user's password that the URL-reading program can't read. This would also "salt" the user's password, which is a security technique that makes passwords harder to figure out when they are stored properly. Cueball thinks this would solve the original problem, and two other problems at the same time, the second problem being the fact that user's passwords aren't salted (a security problem). The third solved problem is difficult to deduce.  Zyzygy 05:40, 29 June 2016 (UTC)

> The third bug is the unicode handling, which would need to be solved in order to salt passwords with emoji since these are unicode only character. Although I'm not sure if salting with emoji really increases security since as a rule i'd say nobody uses emoji in their passwords. 162.158.85.123 06:34, 29 June 2016 (UTC)
Actually, nobody using emoji in their password would be reason salting with emoji is MORE effective. Salting doesn't really increase security of single password, but it does increase security of whole password database, because you can hash some string - like, 123456 and check whole database for users having that as password. If every password is salted with different emoji, this strategy will not work, because while you KNOW which emoji is used - the salt is stored unhashed with the password hash - it's always different so you need to compute new hash for every line in password database. Hashing takes MUCH more time than just comparing strings. And how it's even more effective? Because someone might actually get multiple databases and search for entries with same salt, hoping there will be enough of them to be worth it. And salt with emoji likely wouldn't be so common ... -- Hkmaly (talk) 09:54, 29 June 2016 (UTC)
Retrieved from "https://www.explainxkcd.com/wiki/index.php?title=Talk:1700:_New_Bug&oldid=122535"