Recently a court found that the police could compel you to provide a finger print to unlock a phone, but not to reveal a password. I use passwords. http://www.zdnet.com/virginia-police-can-now-force-you-to-unlock-your-smartphone-with-your-fingerprint-7000035293/ Eric On Sat, Nov 22, 2014 at 4:03 PM, Paul Mooring wrote: > Kevin, > > Not sure if you intended to suggest that using a tool like LastPass or > 1Password is good or bad, but I feel pretty confident saying using a > password manager (such as those tools) is the one "right" way to handle > password based auth. Those tools should support MFA, have good security by > default and generate per-service passwords for users. Password re-use is a > much bigger threat most of the time (anyone use the same password for their > bank random joe's Linux forum, if so your security is only as good as the > weakest link). There are some practical concerns with these sorts of > tools, but from my perspective those are a whole lot less than using (and > re-using) a password the human brain can remember on demand. > > On Sat, Nov 22, 2014 at 2:17 PM, Kevin Fries wrote: > >> I agree, except the idea of passwords being compromised is far easier >> than a password. The use of passwords especially the 4 digit pins that >> secures our banking info is ludicrous. >> >> I am very fond of using NFC lock on a electronic device like a phone, >> then use fingerprint on the phone. A key is no good without a lock, and a >> lock is no good without the key. >> >> So, placing the unlock on the phone, with the secondary unlock being >> biometric makes far more sense. If the biometric was used with a key on >> the device to generate a consistent new key, (think of the fingerprint >> being the salt of an encryption algorithm), this would be very secure. >> Steal my fingerprint, and without they key (on the phone) and it does you >> no good. Steal the phone without the fingerprint, and it does you no >> good. Now you need a double breach to compromise your data. >> >> While nothing is 100% the use of fingerprint and key is a huge >> improvement over current systems or anything mentioned in this article. >> >> The biggest issues with passwords is that if they are not easily >> remembered, users write them down, or use a password tool like Last Pass or >> 1Password. If they are easily remembered, they are easily guessable. >> Therefore the use of passwords is inherently flawed. Biometrics can't be >> guessed. >> >> Just my $0.02 >> >> Kevin >> On Nov 22, 2014 12:41 PM, "Paul Mooring" wrote: >> >>> This article makes some excellent points about using fingerprints as >>> authentication, but I find it's conclusion of continuing to use passwords a >>> bit suspect. The chances of your fingerprint being compromised are real, >>> but no more real than the chances of your password being compromised (brute >>> force, rainbow tables, weak hashing/no salt). In my opinion the take away >>> should be use 2 factor auth all the time and I also think fingerprints can >>> be an excellent form of 2 factor auth (I forget my phone/2FA device more >>> than I forget my fingers). >>> >>> On Fri, Nov 21, 2014 at 11:43 PM, der.hans wrote: >>> >>>> moin moin, >>>> >>>> biometrics aren't secret enough or flexible enough to use in place of >>>> passwords. >>>> >>>> http://blog.dustinkirkland.com/2013/10/fingerprints-are- >>>> user-names-not.html >>>> >>>> ciao, >>>> >>>> der.hans >>>> -- >>>> # http://www.LuftHans.com/ http://www.PhxLinux.org/ >>>> # Data restorals via Freedom of Information Act requests. >>>> --------------------------------------------------- >>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>> To subscribe, unsubscribe, or to change your mail settings: >>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>> >>> >>> >>> >>> -- >>> Paul Mooring >>> Operations Team Lead >>> Chef >>> >>> --------------------------------------------------- >>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>> To subscribe, unsubscribe, or to change your mail settings: >>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> >> > > > -- > Paul Mooring > Operations Team Lead > Chef > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss >