Please log in.
Before you can vote, you need to register. Please log in or create an account.
Computer: Security: Authentication
joke logon   (+1, -1)  [vote for, against]
The computer asks for a punchline instead of a password

Currently passwords are the most common means of authenticating users.

The problem is, passwords are human-unfriendly. Strong passwords, which have no words or names, and a regular schedule for changing passwords, make it hard for people to remember, so they write them down. The multiple passwords you need for all your different computer places cause people either to use stupid passwords, or to use some easily hackable algorithm, such as the first letter from each word in song lyrics. All of these things make passworded systems weaker than they should be.

I propose that the computer instead prompt you for an already-agreed upon punchline for a joke, or the answer to an inane question. This will make it easy to recall for the person who knows it, but hard to hack, either for a computer or an outsider.

Such as "What is the opposite of a duck?"

"A kcuD".
-- lawpoop, Oct 26 2003

skipper to the next idea
-- po, Oct 26 2003


Some websites ask for a question-answer pair that they can use when verifying your identity, for instance if you lose your password and ask for it to be reset. On those sites I always punch in a joke and a punchline for those prompts.
-- krelnik, Oct 26 2003


I don't mind getting fish bones, but for crying out loud, will some one please let me in on why this is not a good idea?
-- lawpoop, Oct 26 2003


[jutta] The basic idea here is that a punchline is easier for a person to remember than a pseudo-random string that we are currently using for passwords.

The joke is agreed on the same way that a user and server agrees on the password now: either the administrator puts it in, or the user is prompted after some other authentication method.

It's not harder to guess than a simple password -- it's easier for the user to remember. The security benefit is that the user isn't writing down passwords because they can't remember them, or they aren't using the commonly known stupid passwords (DOB, pet names, sex-death-god, name of relative) just to be able to remember it.

The problem with personal-information questions such as 'mother's maiden name' is that someone can actually find that out, and use it to get your password. I don't think these fallback mechanisms are as commonplace as you make it sound; I've only seen them on consumer-oriented websites, and I'm fairly certain that no serious security model (such as a server logon) includes them.
-- lawpoop, Oct 26 2003


I don't understand how you expect a punchline to be somehow secure. I mean presumably you do, since you are advocating its use as a security access method. But anyone who has ever heard "How do you know if an elephant has been in your refrigerator?" will have access to your account.

So that can't be what you mean. You must be talking about some other sort of private thing you're calling a 'joke' which is not at all clear to the rest of us. I would not consider your example ("A Kcud.") to be a joke - on the first account, it's not funny, which is generally a prerequisite. Perhaps, when you say joke punchline, you actually mean some sort of cryptic response which is not a guessable word.

If so, then "What's your mother's maiden name backwards?" is a suitable question you could use in fallback mechanisms in place now.

But you'll still have the usual problems. "Damn, which joke did I use for this system?"
-- waugsqueke, Oct 26 2003


what waugs said. usually :)
-- po, Oct 26 2003


Try harder poopy. you might get the idea of the place eventually.. But I doubt it.
-- The Kat, Oct 26 2003


[waugs] The duck joke is the funniest joke *I've* ever heard. There's no accounting for taste. You'll also note that I proposed a 'joke or inane question'.

You're right; it's a bad idea to use commonly known jokes, just like it's a bad idea to use passwords like DOB, mother's maiden name, etc. The solution is simple: don't use them. Make up new jokes, and if no one thinks you're joke is funny, call it 'an inane question'.

I'll bet dollars to crossaints that people will have an easier time remembering answers to inane questions than they do secure passwords. As jutta pointed out, this doesn't add any more security to the log on sequence per se , because a brute force attack would probably find secure passwords and inane answers just as easy to guess correctly.

What does do is make it easier for the user to remember the authenication token, and thus, less likely to do stupid things with it, like write it down.
-- lawpoop, Oct 26 2003


Knock, Knock...
-- The Kat, Oct 26 2003


[Kat] I've got more crossaints than you, both relatively and absolutely...

I guess I'm still missing the point. [sigh]
-- lawpoop, Oct 26 2003


How is the process of inventing a joke easier to remember than remembering a password. Obviously, to make the joke remotely funny, you would need to go for an answer which is not obvious. Then when you sit back down to your system after a couple of weeks, you get "A blonde walks into a bar...".

Now, which one of the plethora of answers for this question was on this system?

Oh yeah, that's it "Ouch!" I should write it down, so I don't waste five minutes trying to think of it again, and another two to stop myself lying to my workmates about what I was laughing so hard about.

Also, the answers to most jokes would be made up of purely alphanumeric characters and usually made up of dictionary-searchable words. With the exception of jokes like "A kcuD", this would weaken the security of the passwords used, for the very same reason why admins usually suggest including numbers and special characters in all passwords.
-- reap, Oct 26 2003


+OK NORAD CENTRAL COMMAND COMPUTER READY
user gwbush

+USER OK ENTER HOW IS A DRUMMER LIKE A DRUM MACHINE
you have to punch information into both of them

+GOOD DAY MR PRESIDENT SHALL WE NUKE THE CHINESE
-- Monkfish, Oct 28 2003


Um, hello.
-- Monkfish, Oct 28 2003


Enough to depopulate the whole world five times over, was my understanding...
-- DrCurry, Oct 29 2003


For all my passwords I have just been using what's on my personalized license plates...
DAMN! Excuse me while I go call the motor vehicle department.
-- Canuck, Oct 29 2003


//Enough to depopulate the whole world five times over, was my understanding...\\

I don't know where that saying comes from. We don't have enough to do civilization let alone the whole world. Maybe Europe, America and Russia, but not Africa, South America, etc... There are more little villages in the middle of nowhere than bombs. We sure do have a lot though.
-- Madcat, Dec 27 2003



random, halfbakery