fingerprints != passwords

Eric Cope eric.cope at gmail.com
Sun Nov 23 08:37:24 MST 2014


Recently a court found that the police could compel you to provide a finger
print to unlock a phone, but not to reveal a password.
I use passwords.

http://www.zdnet.com/virginia-police-can-now-force-you-to-unlock-your-smartphone-with-your-fingerprint-7000035293/

Eric

On Sat, Nov 22, 2014 at 4:03 PM, Paul Mooring <paul at getchef.com> wrote:

> Kevin,
>
> Not sure if you intended to suggest that using a tool like LastPass or
> 1Password is good or bad, but I feel pretty confident saying using a
> password manager (such as those tools) is the one "right" way to handle
> password based auth.  Those tools should support MFA, have good security by
> default and generate per-service passwords for users.  Password re-use is a
> much bigger threat most of the time (anyone use the same password for their
> bank random joe's Linux forum, if so your security is only as good as the
> weakest link).  There are some practical concerns with these sorts of
> tools, but from my perspective those are a whole lot less than using (and
> re-using) a password the human brain can remember on demand.
>
> On Sat, Nov 22, 2014 at 2:17 PM, Kevin Fries <kevin at fries-biro.com> wrote:
>
>> I agree, except the idea of passwords being compromised is far easier
>> than a password.  The use of passwords especially the 4 digit pins that
>> secures our banking info is ludicrous.
>>
>> I am very fond of using NFC lock on a electronic device like a phone,
>> then use fingerprint on the phone.  A key is no good without a lock, and a
>> lock is no good without the key.
>>
>> So, placing the unlock on the phone, with the secondary unlock being
>> biometric makes far more sense.  If the biometric was used with a key on
>> the device to generate a consistent new key, (think of the fingerprint
>> being the salt of an encryption algorithm), this would be very secure.
>> Steal my fingerprint, and without they key (on the phone) and it does you
>> no good.  Steal the phone without  the fingerprint, and it does you no
>> good.  Now you need a double breach to compromise your data.
>>
>> While nothing is 100% the use of fingerprint and key is a huge
>> improvement over current systems or anything mentioned in this article.
>>
>> The biggest issues with passwords is that if they are not easily
>> remembered, users write them down, or use a password tool like Last Pass or
>> 1Password.  If they are easily remembered, they are easily guessable.
>> Therefore the use of passwords is inherently flawed.  Biometrics can't be
>> guessed.
>>
>> Just my $0.02
>>
>> Kevin
>> On Nov 22, 2014 12:41 PM, "Paul Mooring" <paul at getchef.com> wrote:
>>
>>> This article makes some excellent points about using fingerprints as
>>> authentication, but I find it's conclusion of continuing to use passwords a
>>> bit suspect. The chances of your fingerprint being compromised are real,
>>> but no more real than the chances of your password being compromised (brute
>>> force, rainbow tables, weak hashing/no salt).  In my opinion the take away
>>> should be use 2 factor auth all the time and I also think fingerprints can
>>> be an excellent form of 2 factor auth (I forget my phone/2FA device more
>>> than I forget my fingers).
>>>
>>> On Fri, Nov 21, 2014 at 11:43 PM, der.hans <PLUGd at lufthans.com> wrote:
>>>
>>>> moin moin,
>>>>
>>>> biometrics aren't secret enough or flexible enough to use in place of
>>>> passwords.
>>>>
>>>> http://blog.dustinkirkland.com/2013/10/fingerprints-are-
>>>> user-names-not.html
>>>>
>>>> ciao,
>>>>
>>>> der.hans
>>>> --
>>>> #  http://www.LuftHans.com/        http://www.PhxLinux.org/
>>>> #  Data restorals via Freedom of Information Act requests.
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>
>>>
>>>
>>>
>>> --
>>> Paul Mooring
>>> Operations Team Lead
>>> Chef
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>
>
>
> --
> Paul Mooring
> Operations Team Lead
> Chef
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20141123/55b1b9d0/attachment.html>


More information about the PLUG-discuss mailing list