0792: "Password Reuse"

This forum is for the individual discussion thread that goes with each new comic.

Moderators: Moderators General, Prelates, Magistrates

User avatar
Diadem
Posts: 5653
Joined: Wed Jun 11, 2008 11:03 am UTC
Location: The Netherlands

Re: "Password Reuse" Discussion (#792)

Postby Diadem » Mon Sep 13, 2010 11:25 am UTC

So who else is guilty of password reuse?

I use one password (a pretty weak but easy to type one too) for most internet sites that aren't terrible important if they get hacked. Typically forums and things like that. XKCD too. My email has its seperate password (though several accounts use the same one), as has paypal. Things encrypted on my hdd have its own password too. All in all I think I'm reseanably save, though I could do better. But using a new password very every site is a pure nightmare, that's hundreds of passwords I've had to remember.
It's one of those irregular verbs, isn't it? I have an independent mind, you are an eccentric, he is round the twist
- Bernard Woolley in Yes, Prime Minister

brinchj
Posts: 2
Joined: Mon Sep 13, 2010 8:56 am UTC

Re: "Password Reuse" Discussion (#792)

Postby brinchj » Mon Sep 13, 2010 11:27 am UTC

This comic presents a good explanation of one of the issues I've been trying to solve, by developing the open source browser add-on RndPhrase.
I've been looking at existing solutions, and many work simularly. However, none of them was exactly what I wanted.

This is what I do:
* Hash a seed, user chosen password and the domain name to form a secure password
* Use Mozilla's Public Suffix List to determine the correct domain name - this is what browsers use for cookies as well

An example:
For xkcd.com, the seed "123" and password "abc" yields "bdilwb6wumd4nchr".
The same combination used on facebook.com yields "p9j5qyecnxu7nmn7".

A few problems, I haven't solved yet:
* Sites with multiple domain (e.g. mail.google.com vs. gmail.com)
* Sites with password restrictions (e.g. "max 10 characters" or "no digits")

-- For the technical ones: I use Daniel Bernstein's CubeHash8/1 for hashing due to its conservative, yet simple design.

This is my first post, so I can't post the link to the project. You'll have to google it.

--
Johan Brinch,
Dept. of Computer Science,
University of Copenhagen
Last edited by brinchj on Mon Sep 13, 2010 1:47 pm UTC, edited 1 time in total.

User avatar
Zamfir
I built a novelty castle, the irony was lost on some.
Posts: 7417
Joined: Wed Aug 27, 2008 2:43 pm UTC
Location: Nederland

Re: "Password Reuse" Discussion (#792)

Postby Zamfir » Mon Sep 13, 2010 11:31 am UTC

Diadem wrote:So who else is guilty of password reuse?

I use one password (a pretty weak but easy to type one too) for most internet sites that aren't terrible important if they get hacked. Typically forums and things like that. XKCD too. My email has its seperate password (though several accounts use the same one), as has paypal. Things encrypted on my hdd have its own password too. All in all I think I'm reseanably save, though I could do better. But using a new password very every site is a pure nightmare, that's hundreds of passwords I've had to remember.

I made a "simple", slightly flexible password that is based on the name of the site. So an automated script can't directly reuse it on other sites, while for me it feels like having one password for most simple sites.

Of course, email and money get their own password.
Last edited by Zamfir on Mon Sep 13, 2010 12:07 pm UTC, edited 1 time in total.

User avatar
gordysc
Posts: 17
Joined: Thu May 13, 2010 1:13 pm UTC

Re: "Password Reuse" Discussion (#792)

Postby gordysc » Mon Sep 13, 2010 11:59 am UTC

$5 says Randall made the forums for this very purpose.

mikeowaterloo
Posts: 2
Joined: Mon Sep 13, 2010 12:08 pm UTC

Re: "Password Reuse" Discussion (#792)

Postby mikeowaterloo » Mon Sep 13, 2010 12:11 pm UTC

Code: Select all

Whois Server Version 2.0

Domain Name: FACEBOOK.COM

Creation Date: 29-mar-1997
Expiration Date: 30-mar-2020

hatten
Posts: 139
Joined: Fri Apr 02, 2010 4:18 pm UTC

Re: "Password Reuse" Discussion (#792)

Postby hatten » Mon Sep 13, 2010 12:38 pm UTC

hintss wrote:
hatten wrote:Same username everywhere, different passwords everywhere. I keep all my passwords in a text file hidden somewhere in my directory structure. Got a bash script for accessing passwords, and another for creating new.

This was a real funny one!

awesome, I'll just send you a rootkit, get the path, search through it, then find your file using the bash script. :P

also, my private key for ssh is over 100. because someone said it had to be over 15 :D

The chance that somebody would try and hack me (note, not having an ssh server on this comp), is substantially lower than a corrupt admin taking ahold of my stuff or me forgetting all of them.

hatten
Posts: 139
Joined: Fri Apr 02, 2010 4:18 pm UTC

Re: "Password Reuse" Discussion (#792)

Postby hatten » Mon Sep 13, 2010 12:40 pm UTC

Zamfir wrote:
Diadem wrote:So who else is guilty of password reuse?

I use one password (a pretty weak but easy to type one too) for most internet sites that aren't terrible important if they get hacked. Typically forums and things like that. XKCD too. My email has its seperate password (though several accounts use the same one), as has paypal. Things encrypted on my hdd have its own password too. All in all I think I'm reseanably save, though I could do better. But using a new password very every site is a pure nightmare, that's hundreds of passwords I've had to remember.

I made a "simple", slightly flexible password that is based on the name of the site. So an automated script can't directly reuse it on other sites, while for me it feels like having one password for most simple sites.

Of course, email and money get their own password.

So if I get you to sign up at a few different sites I can guess the pattern and access all your sites? Sweeet.

richman1c
Posts: 4
Joined: Mon Sep 13, 2010 12:37 pm UTC

Re: "Password Reuse" Discussion (#792)

Postby richman1c » Mon Sep 13, 2010 12:40 pm UTC

"The greatest rapper of all time died on March 9th (1997)"

NEVER FORGET!
Last edited by Felstaff on Thu Sep 16, 2010 1:03 pm UTC, edited 1 time in total.
Reason: Clarification that this is on-topic & referring to March 1997. Also he means the Notorious B.I.G.

User avatar
Zamfir
I built a novelty castle, the irony was lost on some.
Posts: 7417
Joined: Wed Aug 27, 2008 2:43 pm UTC
Location: Nederland

Re: "Password Reuse" Discussion (#792)

Postby Zamfir » Mon Sep 13, 2010 12:54 pm UTC

hatten wrote:
Zamfir wrote:
Diadem wrote:So who else is guilty of password reuse?

I use one password (a pretty weak but easy to type one too) for most internet sites that aren't terrible important if they get hacked. Typically forums and things like that. XKCD too. My email has its seperate password (though several accounts use the same one), as has paypal. Things encrypted on my hdd have its own password too. All in all I think I'm reseanably save, though I could do better. But using a new password very every site is a pure nightmare, that's hundreds of passwords I've had to remember.

I made a "simple", slightly flexible password that is based on the name of the site. So an automated script can't directly reuse it on other sites, while for me it feels like having one password for most simple sites.

Of course, email and money get their own password.

So if I get you to sign up at a few different sites I can guess the pattern and access all your sites? Sweeet.

Yes, if you are a human being trying to do that. It excludes automated tools, which is what concerns me more. Security is a balance between convenience and security, and this is simple addition that adds a lot of security for little inconvenience. As I said, you should exclude critical sites from the system.

Do you mean you have separate passwords for every site you ever register to? If you write a few comments somewhere, or order something at a new webshop, you remember a new password?

User avatar
DragonHawk
Posts: 457
Joined: Sat Sep 15, 2007 1:20 am UTC
Location: NH, US, Earth
Contact:

Re: "Password Reuse" Discussion (#792)

Postby DragonHawk » Mon Sep 13, 2010 12:59 pm UTC

calvinhobbes wrote:What sort of dingus web developer doesn't salt+hash (at the very least) passwords before storing them?
The kind of web developer who wants to steal passwords? I bet that kind of web dev wears a black hat...

(For extra points, store the cleartext password to a separate location, then store the hashed password in the main database, so it looks like you're doing it right if someone's just looking at the database.)

A bit of Slashdot trivia: Slashcode originally stored passwords cleartext. Then one day someone stole their database, and they posted a "Everybody change all your passwords" story.
----------
Technical Ben wrote:I was guessing march 1997 was the day Black Hat Girl dumped him. :(

Your days must be longer than mine. I need 31 of my days to fill March. :)
----------
Mekmek wrote:Instead it's an in-character reference. Maybe to this?

Oh, interesting. That's a good bit of detective work right there, Mekmek.
Ben'); DROP TABLE Users;--

GENERATION 42: The first time you see this, copy it into yοur sig on any forum and stick a fork in yοur еyе. Social experiment.

User avatar
littlelj
Posts: 140
Joined: Wed Feb 18, 2009 10:40 am UTC

Re: "Password Reuse" Discussion (#792)

Postby littlelj » Mon Sep 13, 2010 1:04 pm UTC

Sorry I'm late. I've been changing some old passwords... :wink:

Seriously, though, it's a huge pest having to remember passwords, particularly since some sites have weird "no repetition of characters" or "must contain two symbols" or something rules, but they don't remind you of their rules when you log on.

If they said "must contain letters and numbers" then I'd know it was nn<normal password1>; if they said "must contain two or more non-alphanumeric characters" I'd know it was <normal password2>!!; etc.

Blast them and their security.

My internet banking gave me a little handheld calculator thing to put my card in and then enter my PIN to give me a unique code to use as a password online that visit. There's obviously some very clever but ultimately crackable algorithm doing something, but having to have the card in your possession and the PIN in your memory at the same time is clearly a Good Start.
Dudes, I'm a woman.

brinchj
Posts: 2
Joined: Mon Sep 13, 2010 8:56 am UTC

Re: "Password Reuse" Discussion (#792)

Postby brinchj » Mon Sep 13, 2010 1:17 pm UTC

Sorry, double post. Nothing to see here.
Last edited by brinchj on Mon Sep 13, 2010 1:47 pm UTC, edited 1 time in total.

User avatar
BioTube
Posts: 362
Joined: Sat Apr 11, 2009 2:11 am UTC

Re: "Password Reuse" Discussion (#792)

Postby BioTube » Mon Sep 13, 2010 1:18 pm UTC

okvol wrote:"Focus on the Family" started by Dr. James Dodson. This guy makes Sarah Palin look liberal.
At least FotF makes a semientertaining radio drama, which gets that "Born Again" in your household to shut up for a while.
Frédéric Bastiat wrote:Government is the great fiction through which everybody endeavors to live at the expense of everybody else.

User avatar
DragonHawk
Posts: 457
Joined: Sat Sep 15, 2007 1:20 am UTC
Location: NH, US, Earth
Contact:

Re: "Password Reuse" Discussion (#792)

Postby DragonHawk » Mon Sep 13, 2010 1:23 pm UTC

littlelj wrote:Seriously, though, it's a huge pest having to remember passwords, particularly since some sites have weird "no repetition of characters" or "must contain two symbols" or something rules, but they don't remind you of their rules when you log on.

Use a web browser that can "remember" passwords for you, and protect the browser's password bank with a strong unique password. Or use a password bank that works on your phone or whatever if you prefer. Or both.
My internet banking gave me a little handheld calculator thing to put my card in and then enter my PIN to give me a unique code to use as a password online that visit. There's obviously some very clever but ultimately crackable algorithm doing something, but having to have the card in your possession and the PIN in your memory at the same time is clearly a Good Start.

That's called "two factor authentication", and it is a very good thing.

I suppose the device could be using a one-time pad to give you those codes. If so, it's not algorithmically crackable. One-time pads have been mathematically proven to be "uncrackable", as far as the algorithm goes. However, the fact that the algorithm is theoretically secure doesn't get you much. Gene "spaf" Spafford put it best: "Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench."
Ben'); DROP TABLE Users;--

GENERATION 42: The first time you see this, copy it into yοur sig on any forum and stick a fork in yοur еyе. Social experiment.

User avatar
Sprocket
Seymour
Posts: 5946
Joined: Mon Mar 26, 2007 6:04 pm UTC
Location: impaled on Beck's boney hips.
Contact:

Re: "Password Reuse" Discussion (#792)

Postby Sprocket » Mon Sep 13, 2010 1:24 pm UTC

My vote is with cloning, as it's the first thing in the Wikipedia entry, and my experience with the type of guy BHG is leads me to believe he probably had some exciting ideas about cloning, and now they were all for naught...hmm

HOWEVER perhaps it was the cancellation of the animated X-Men series which had started in 1992!
"She’s a free spirit, a wind-rider, she’s at one with nature, and walks with the kodama eidolons”
Image
Image
Image
Image
Image
Zohar wrote: Down with the hipster binary! It's a SPECTRUM!

matt_sharkey
Posts: 7
Joined: Wed Nov 25, 2009 4:59 am UTC

Re: "Password Reuse" Discussion (#792)

Postby matt_sharkey » Mon Sep 13, 2010 1:36 pm UTC

almost a "Randall get out of my head"

last night i was finishing my astronomy homework which asked to calculate various quantities of the comet hale-bopp. after looking into it i saw that it caused the mass-suicide of the cult "heavens gate" in march of 1997 when it was closest to earth. after Wikipediaing that i checked out the xkcd for today; i'm thoroughly convinced that the march 1997 BHG is talking about refers to the comet hale-bopp.

User avatar
Sprocket
Seymour
Posts: 5946
Joined: Mon Mar 26, 2007 6:04 pm UTC
Location: impaled on Beck's boney hips.
Contact:

Re: "Password Reuse" Discussion (#792)

Postby Sprocket » Mon Sep 13, 2010 1:48 pm UTC

If BHG was into Heaven's Gate, he'd be dead now, but it is likely, being who he is, that he did desire a great horrific apocalypse..the sick fuck.
"She’s a free spirit, a wind-rider, she’s at one with nature, and walks with the kodama eidolons”
Image
Image
Image
Image
Image
Zohar wrote: Down with the hipster binary! It's a SPECTRUM!

mikeowaterloo
Posts: 2
Joined: Mon Sep 13, 2010 12:08 pm UTC

Re: "Password Reuse" Discussion (#792)

Postby mikeowaterloo » Mon Sep 13, 2010 1:58 pm UTC

As I mentioned above Facebook.com was registered in March 1997.

Here are some choice quotes from Zuckerberg (sound a bit like BHG?):

According to SAI sources, the following exchange is between a 19-year-old Mark Zuckerberg and a friend shortly after Mark launched The Facebook in his dorm room:

Zuck: Yeah so if you ever need info about anyone at Harvard

Zuck: Just ask.

Zuck: I have over 4,000 emails, pictures, addresses, SNS

[Redacted Friend's Name]: What? How'd you manage that one?

Zuck: People just submitted it.

Zuck: I don't know why.

Zuck: They "trust me"

Zuck: Dumb f**ks.



The forum won't let me post the link, but if you Google "Well, These New Zuckerberg IMs Won't Help Facebook's Privacy Problems" you should be able to find the article where these quotes appear.

1055
Posts: 20
Joined: Thu Jan 07, 2010 6:12 am UTC
Location: Cambridge, MA

Re: "Password Reuse" discussion (#792)

Postby 1055 » Mon Sep 13, 2010 2:27 pm UTC

MoogleGunner wrote:BHG gazed into the tail Comet Hale-Bopp, and the tail gazed back into him


Awesome post! Love the Nietzche reference!

Also, my solution to this problem is to use good, unique passwords for the important sites and random ones for everything else, then forget them and generate a new password almost every time.

cout
Posts: 13
Joined: Mon Oct 19, 2009 1:55 pm UTC

Re: "Password Reuse" Discussion (#792)

Postby cout » Mon Sep 13, 2010 2:32 pm UTC

1. Is this comic self-referential? I wonder how many passwords to the forums on xkcd.com are reused on other forums. (Please Randall, don't go logging into my account on the chrysler forums talking about how great fords are)

2. I too am curious what happened in March 1997. Theroies already posted are:

* Facebook.com was registered
* International release of Star Wars: Space Remix
* This is a nerd snipe

I want to propose that this is a reference to Comet Hale-Bopp and the Heaven's Gate cult, who committed mass suicide in March 1997. I suspect there were a lot of other cultists who were disappointed that the comet wasn't actually a spaceship or cult leaders who were disappointed that they didn't think of capitalizing on the comet's publicity.

User avatar
SirMustapha
Posts: 1302
Joined: Mon Jul 21, 2008 6:07 pm UTC

Re: "Password Reuse" Discussion (#792)

Postby SirMustapha » Mon Sep 13, 2010 2:32 pm UTC

This strip is amazing: for the most part it's just an infodump of a security issue. Then it puts Black-Hat-Guy into a pretty interesting (however cliché) situation that could yield great comedic results, yet the most Randall can do is a boring joke at the expense of Google??

RANDALL, YOU SUCK AT WRITING. PERIOD.

And people wonder why I don't leave this place: Randall never fails to amaze me!

User avatar
Okita
Staying Alive
Posts: 3071
Joined: Fri Aug 10, 2007 7:51 pm UTC
Location: Finance land.

Re: "Password Reuse" Discussion (#792)

Postby Okita » Mon Sep 13, 2010 3:09 pm UTC

What I used to do was memorize a very simple encryption function and then encrypt it based upon a weak but easy to remember password. I'd also throw in bits and pieces from whatever website I was using to boot (of course i'd use that same function on the website pieces).

It gave me a slightly more secure password and over time from having to constantly calculate the password, I ended up memorizing it. However it turns out those password weren't as secure as I hoped (mathematically that is).

I've been looking into LastPass and have been pretty impressed but haven't made the jump yet.

Anyone else use LastPass and cares to comment?
"I may or may not be a raptor. There is no way of knowing until entering a box that I happen to be in and then letting me sunder the delicious human flesh from your body in reptile fury."

Technical Ben
Posts: 2986
Joined: Tue May 27, 2008 10:42 pm UTC

Re: "Password Reuse" discussion (#792)

Postby Technical Ben » Mon Sep 13, 2010 4:20 pm UTC

Mekmek wrote:
Karilyn wrote:I'm going to say it's a random date and/or a variation of a Noodle Incident

I'm also in favor of no real event at all. Instead it's an in-character reference. Maybe to this?


Which was the point Black Hat Girl dumped him... at the park, next to a bench.
It's all physics and stamp collecting.
It's not a particle or a wave. It's just an exchange.

User avatar
adaviel
Posts: 41
Joined: Wed Jan 14, 2009 5:30 pm UTC
Location: Vancouver Canada
Contact:

Re: "Password Reuse" Discussion (#792)

Postby adaviel » Mon Sep 13, 2010 4:51 pm UTC

My current strategy for random websites:
mkpasswd.pl 20 (Perl script to generate high-entropy 20-char password)
Paste into registration page
Either ask Firefox to remember it (with an encryption password, of course, which I have to remember myself), or just click the "remind me of my password" link next time.

Sometimes an entropy-reduction step is necessary, e.g. ATMs accept only 6-digit code, some websites refuse non-alphanumeric characters. One fairly major site bizarrely accepted a new long password, but then truncated it on login so that it never worked.

(I'm not sure that password entropy is the real problem. 0.2% of highly-educated computer-literate scientists will fall for
"To confirm your account, email your username and password to bhg@evilplan.net", touched up with some website text like "IT Dept. Science and Engineering at Horvard University")

User avatar
XbHW_TestEngr
Posts: 95
Joined: Sat Jan 17, 2009 9:29 pm UTC
Location: Kirkland, WA
Contact:

Re: "Password Reuse" Discussion (#792)

Postby XbHW_TestEngr » Mon Sep 13, 2010 4:53 pm UTC

- paranoid internet user here.
I have about 5 usernames for the various sites I "trust", but EVERY site has unique password, 12 - 15 characters, randomly generated. For sites I don't trust, I create a throw-away email address & username and see who how fast it gets sold.
... and there will be cake.

I have traveled from 1960 to be a member of the unofficial Council of Elders. Phear M3

benbald72 wrote:I feel connected to the author and therefore appreciate the comic, regardless of whether or not I understand the joke ....

User avatar
M.B.Giles
Posts: 7
Joined: Tue Feb 10, 2009 6:35 am UTC
Location: Where the wild things are...

Re: "Password Reuse" Discussion (#792)

Postby M.B.Giles » Mon Sep 13, 2010 4:55 pm UTC

I'm going to guess it's the death of this guy that has him upset: http://en.wikipedia.org/wiki/Robert_H._Dicke

jpers36
Posts: 223
Joined: Wed Apr 14, 2010 2:47 pm UTC
Location: The 3-manifold described by Red and Blue

Re: "Password Reuse" Discussion (#792)

Postby jpers36 » Mon Sep 13, 2010 4:56 pm UTC

Zamfir wrote:Security is a balance between convenience and security...


That's a bit recursive.

oddy
Posts: 10
Joined: Fri Jun 04, 2010 8:13 am UTC

Re: "Password Reuse" Discussion (#792)

Postby oddy » Mon Sep 13, 2010 4:56 pm UTC

http://blog.xkcd.com/2007/03/

March 2007? Cory Doctorow won the award and got the balloon and cape. I would have started believing in humanity from then on! :D

His laptop was stolen... could that be it?

And he got an awesome response from a Paleontology professor. :mrgreen: That one is kinda cool!

Meh I'm not too sure.

User avatar
adaviel
Posts: 41
Joined: Wed Jan 14, 2009 5:30 pm UTC
Location: Vancouver Canada
Contact:

Re: "Password Reuse" Discussion (#792)

Postby adaviel » Mon Sep 13, 2010 5:08 pm UTC

Sulayman-F wrote:This wasn't that big of a secret, I'm surprised it's not mentioned in TOSes for websites, e.g. "We will never be able to see your actual password (due to one-way hashing) or use it anywhere else"


For what value of "we" ? That might be true for logins on a decent, unhacked, operating system but for a website it depends on the site developer. Unless you use SSL, *everyone" can see your password (open WiFi, network admins, etc.) and even with that, it's visible to the PHP/Perl/whatever that the login script is coded in. Granted, a decent site would code the hash function into some compiled binary that random website developers and admins don't have access to.

User avatar
StNowhere
Posts: 251
Joined: Tue Jun 29, 2010 7:24 am UTC

Re: "Password Reuse" Discussion (#792)

Postby StNowhere » Mon Sep 13, 2010 5:36 pm UTC

SirMustapha wrote:And people wonder why I don't leave this place: Randall never fails to amaze me!


The Westboro Batshit Crazyhouse never fails to amaze me with their delving to new depths of stupid media whore-dom, but I'm not going to follow them around and complain that their most recent picketing is derivative of their soldier funeral picketing, because it's just a waste of time. Makes me think that you really just want to be disappointed, and rarely miss an opportunity to do so.

User avatar
Maurog
Posts: 842
Joined: Tue Jul 10, 2007 7:58 am UTC

Re: "Password Reuse" Discussion (#792)

Postby Maurog » Mon Sep 13, 2010 6:14 pm UTC

Don't feed it please...

By the way, the sites which insist that I submit a twenty chars password with capital letters, digits and symbols inside are the ones that I later end up requesting my password back on when I want to log in again. Which doesn't really solve the problem, because after all the hassle, I have to setup a new twenty chars password which I won't remember again.
Slay the living! Raise the dead! Paint the sky in crimson red!

User avatar
Snicker-Snack
Posts: 1
Joined: Mon Sep 13, 2010 6:07 pm UTC

Re: "Password Reuse" Discussion (#792)

Postby Snicker-Snack » Mon Sep 13, 2010 6:23 pm UTC

weex wrote:Keepass can be of service here and it's good security to be as paranoid about your secret questions as you are choosing passwords.

The great thing for BHG here is that the masses will not significantly change this behavior until the browser or OS start to compare the usernames and passwords they use.


I agree -- ever since I started using KeePass, password management has become a trivial problem.

It's alarming that people are still reusing passwords when nice password management products like KeePass are available.

User avatar
neoliminal
Posts: 626
Joined: Wed Feb 18, 2009 6:39 pm UTC

Re: "Password Reuse" Discussion (#792)

Postby neoliminal » Mon Sep 13, 2010 6:37 pm UTC

1997

Larry and Sergey decide that the BackRub search engine needs a new name. After some brainstorming, they go with Google -- a play on the word "googol," a mathematical term for the number represented by the numeral 1 followed by 100 zeros. The use of the term reflects their mission to organize a seemingly infinite amount of information on the web.


Unfortunately I think it's Facebook though, because I can't find the above as being in March.
http://www.amazon.com/dp/B0073YYXRC
Read My Book. Cost less than coffee. Will probably keep you awake longer.
[hint, scary!]

NerfTW
Posts: 13
Joined: Fri Nov 23, 2007 3:55 pm UTC

Re: "Password Reuse" Discussion (#792)

Postby NerfTW » Mon Sep 13, 2010 7:05 pm UTC

calvinhobbes wrote:What sort of dingus web developer doesn't salt+hash (at the very least) passwords before storing them?

I'm a noob when it comes to web dev, but even I know that's what you're supposed to do,
so that way, even if your DB is compromised, no one (not even you) can discover your users' passwords.



Uh, the kind that WANT to be able to steal the passwords?

That's like asking why a parking garage owner that wants to use his customer's cars isn't putting the keys in a dual control safe. Because then he wouldn't be able to access them. Duh. If you're setting up the site specifically to harvest email accounts and passwords, why would you bother securing it against yourself?

ailaG
Posts: 1
Joined: Mon Sep 13, 2010 7:08 pm UTC

Re: "Password Reuse" Discussion (#792)

Postby ailaG » Mon Sep 13, 2010 7:19 pm UTC

I bet "March1997" is Randall's password somewhere.

Either that, or it's a hidden message about the date of the next global xkcd meetup. Prepare your time machines.

DavidRoss
Posts: 96
Joined: Fri Mar 05, 2010 8:04 am UTC

Re: "Password Reuse" Discussion (#792)

Postby DavidRoss » Mon Sep 13, 2010 7:46 pm UTC

I think the key aspect of a free account to keep in mind is that you are not the customer. You are the inventory. You will be treated accordingly.

The reason why I am not concerned about ATM passwords being limited to 1:10,000 is that the administrators of the system (my bank) a pre-programmed to give a damn - otherwise their employer is on the hook for part of the money and the person gets fired. Thus, they spend a lot of time thinking about how not to let it happen. What happens if my Gmail account gets hacked? (I mean, besides me private, private e-mails to Saran Palin ending up in People Magazine.) Does anyone who is making the day-to-day security decisions going to get fired or endure assertions of incompetence?

User avatar
SirMustapha
Posts: 1302
Joined: Mon Jul 21, 2008 6:07 pm UTC

Re: "Password Reuse" Discussion (#792)

Postby SirMustapha » Mon Sep 13, 2010 8:03 pm UTC

StNowhere wrote:The Westboro Batshit Crazyhouse never fails to amaze me with their delving to new depths of stupid media whore-dom, but I'm not going to follow them around and complain that their most recent picketing is derivative of their soldier funeral picketing, because it's just a waste of time.


Might be to you, but it's not to me. Randall's incompetence amuses me to no end.

If xkcd were as actively, offensively bad such as Ctrl-Alt-Del or Least I Could Do, well, in that case I'd keep the hell away from it, but no... the awfulness of Randall's humour and writing is, in a way, endearing. There's a curious mix of the genuine wish to see him unfold into an actually good artist and the recurring comedy of him falling flat on his face again and again. I love it.

@dmin
Posts: 9
Joined: Fri Aug 13, 2010 9:46 pm UTC

Re: "Password Reuse" Discussion (#792)

Postby @dmin » Mon Sep 13, 2010 9:51 pm UTC

My new favorite xkcd.

To much control is boring. It's like being a net admin. You have control of all the users and can do anything, but why?

tucker1a485
Posts: 1
Joined: Mon Sep 13, 2010 9:52 pm UTC

Re: "Password Reuse" Discussion (#792)

Postby tucker1a485 » Mon Sep 13, 2010 9:56 pm UTC

This is why I use the same password for all the crap that doesn't matter and a set of unique random letter/number/symbol combination passwords for all the important stuff. ie bank login, credit card login and anything pertaining to money or my social security number are randomish combinations. I say randomish because really they are just the first letter a word in a sentence combined with numbers and symbols. Works great.

Story
Posts: 78
Joined: Wed Aug 26, 2009 9:03 pm UTC

Re: "Password Reuse" Discussion (#792)

Postby Story » Mon Sep 13, 2010 10:04 pm UTC

DavidRoss wrote:What happens if my Gmail account gets hacked? (I mean, besides me private, private e-mails to Saran Palin ending up in People Magazine.) Does anyone who is making the day-to-day security decisions going to get fired or endure assertions of incompetence?


Actually, the people in charge of security at Google take it very seriously. Remember, there are Chinese dissidents whose very lives may depend on the security of the email system.

Of course, that refers to actual hacking, like the incident last December. If you want to pick an insecure password, there's not much anyone can do to stop you.


Return to “Individual XKCD Comic Threads”

Who is online

Users browsing this forum: No registered users and 32 guests