fingerprints != passwords

Sat Nov 22 16:03:50 MST 2014

Kevin,

Not sure if you intended to suggest that using a tool like LastPass or
1Password is good or bad, but I feel pretty confident saying using a
password manager (such as those tools) is the one "right" way to handle
password based auth.  Those tools should support MFA, have good security by
default and generate per-service passwords for users.  Password re-use is a
much bigger threat most of the time (anyone use the same password for their
bank random joe's Linux forum, if so your security is only as good as the
weakest link).  There are some practical concerns with these sorts of
tools, but from my perspective those are a whole lot less than using (and
re-using) a password the human brain can remember on demand.

On Sat, Nov 22, 2014 at 2:17 PM, Kevin Fries <kevin at fries-biro.com> wrote:

> I agree, except the idea of passwords being compromised is far easier than
> a password.  The use of passwords especially the 4 digit pins that secures
> our banking info is ludicrous.
>
> I am very fond of using NFC lock on a electronic device like a phone, then
> use fingerprint on the phone.  A key is no good without a lock, and a lock
> is no good without the key.
>
> So, placing the unlock on the phone, with the secondary unlock being
> biometric makes far more sense.  If the biometric was used with a key on
> the device to generate a consistent new key, (think of the fingerprint
> being the salt of an encryption algorithm), this would be very secure.
> Steal my fingerprint, and without they key (on the phone) and it does you
> no good.  Steal the phone without  the fingerprint, and it does you no
> good.  Now you need a double breach to compromise your data.
>
> While nothing is 100% the use of fingerprint and key is a huge improvement
> over current systems or anything mentioned in this article.
>
> The biggest issues with passwords is that if they are not easily
> remembered, users write them down, or use a password tool like Last Pass or
> 1Password.  If they are easily remembered, they are easily guessable.
> Therefore the use of passwords is inherently flawed.  Biometrics can't be
> guessed.
>
> Just my $0.02
>
> Kevin
> On Nov 22, 2014 12:41 PM, "Paul Mooring" <paul at getchef.com> wrote:
>
>> This article makes some excellent points about using fingerprints as
>> authentication, but I find it's conclusion of continuing to use passwords a
>> bit suspect. The chances of your fingerprint being compromised are real,
>> but no more real than the chances of your password being compromised (brute
>> force, rainbow tables, weak hashing/no salt).  In my opinion the take away
>> should be use 2 factor auth all the time and I also think fingerprints can
>> be an excellent form of 2 factor auth (I forget my phone/2FA device more
>> than I forget my fingers).
>>
>> On Fri, Nov 21, 2014 at 11:43 PM, der.hans <PLUGd at lufthans.com> wrote:
>>
>>> moin moin,
>>>
>>> biometrics aren't secret enough or flexible enough to use in place of
>>> passwords.
>>>
>>> http://blog.dustinkirkland.com/2013/10/fingerprints-are-
>>> user-names-not.html
>>>
>>> ciao,
>>>
>>> der.hans
>>> --
>>> #  http://www.LuftHans.com/        http://www.PhxLinux.org/
>>> #  Data restorals via Freedom of Information Act requests.
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>
>>
>>
>> --
>> Paul Mooring
>> Operations Team Lead
>> Chef
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>

-- 
Paul Mooring
Operations Team Lead
Chef
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20141122/d512a2b8/attachment.html>