DailyDirt: Passwords? We Don't Need No Stinkin' Passwords

from the urls-we-dig-up dept

Fingerprint-based biometric security systems are everywhere now, but there are some well-known problems with using your fingerprints instead of a password. First off, you unconsciously leave copies of your fingerprints just about everywhere you go. Still, fingerprint sensors seem to be getting better and better. I’ll stick to my 4-digit PIN for now, though, thanks, but if you like using your finger for your digital locks, check out these links.

If you’d like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.

Filed Under: , , , , , , ,
Companies: qualcomm, vkansee

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “DailyDirt: Passwords? We Don't Need No Stinkin' Passwords”

Subscribe: RSS Leave a comment
24 Comments
Anonymous Coward says:

Biometrics = Terrible Security

Let that sink in.

It is just so much easier to steal your biological information. Especially if you are the government since the practically require you to give it up to easily identify you if they need to connect you to a crime.

Technology is getting so damn good that just about biometric data can be stolen from you without you even knowing it.

Go and look at why the President can’t even take a single shit in peace…

Anonymous Coward says:

Although fingerprint identification technology had been perfected a long time ago, and still in widespread use by the US Border Patrol, FBI, and domestic law enforcement agencies, the US military seems to prefer retina scans and DNA tests — or at least that’s what conquered populatons are forced to endure.

http://www.dailykos.com/story/2004/12/05/77917/-The-Fallujah-Police-State-retinal-scans-and-a-DNA-database

John Fenderson (profile) says:

Re: Re:

“Although fingerprint identification technology had been perfected a long time ago”

The “perfected” method of fingerprint identification isn’t how it’s actually done, either by people or computer. What’s actually done is not comparing fingerprints, but comparing a small sample of features in each print. Under the best of circumstances, this reduces the accuracy by a huge margin.

“US military seems to prefer retina scans and DNA tests”

Probably because fingerprints are easy to copy and forge. Retinal patterns and DNA tests are more difficult.

JustShutUpAndObey says:

Are fingerprints really unique?

That is certainly the myth, but as someone who did fingerprint security systems for the FBI, I’ve yet to find any scientific proof that they are unique.

To prove it, you would have to compare all fingerprints with all other fingerprints and come up with no duplicates. Even that wouldn’t be enough: you’d need to compare all fingerprints in history, past and future.

madasahatter (profile) says:

Re: Are fingerprints really unique?

The best data on this used identical twins and found each had different fingerprints. Also, there has been no documented case of misidentification due to two people having identical fingerprints.

The problem with biometric systems is that once compromised there is ability to reset the fingerprint. With a password based system, users can change their passwords if needed.

KRA says:

Re: Are fingerprints really unique?

It has been a long time since I took stats, but you don’t have to test an entire population to get valid and reliable data. The idea is to take a random sample and then apply your findings to the population–the particular type of analysis tells you what your sample size needs to be.

The issue with fingerprint identification is the lack of consistency in matching and the lack of any scientific basis for calling something a match. This tidbit from a Popular Mechanics article has haunted me since I first read it:

A 2006 study by the University of Southampton in England asked six veteran fingerprint examiners to study prints taken from actual criminal cases. The experts were not told that they had previously examined the same prints. The researchers’ goal was to determine if contextual information—for example, some prints included a notation that the suspect had already confessed—would affect the results. But the experiment revealed a far more serious problem: The analyses of fingerprint examiners were often inconsistent regardless of context. Only two of the six experts reached the same conclusions on second examination as they had on the first.

Our method of taking prints and evaluating them sucks, even if we assume they are all unique. Interestingly, I trust tech companies to improve fingerprint technology more than I trust law enforcement to. Tech companies have a motive to get it right and law enforcement has a motive to keep it fuzzy.

John Fenderson (profile) says:

Re: Are fingerprints really unique?

The exact pattern of your fingerprints are not coded for by your DNA, so there’s a very large arbitrary and/or random component to them. It’s a bit like assigning a random number to every human. There’s no guarantee that each will be unique, but the odds of two being identical are very, very tiny.

“To prove it, you would have to compare all fingerprints with all other fingerprints and come up with no duplicates”

No, there’s no need to go that far to prove it. And this issue about fingerprints has been very well studied. The usual figure cited for the odds that two people have the same fingerprint (for a single finger) is 1 in 64 million.

However, due to the fact that fingerprint matching is not done by comparing entire fingerprints means that the odds of two people having their fingerprints being judged as the same are around 1 in 50,000 (depending on the exact method being used).

fairuse (profile) says:

This Happened, in another universe, DNA ID [video]

ACT I.
We are pretty good at making Science Fiction into Science.

ACT II.
People don’t care how a thing does magic as long as it doesn’t interfere with their goal – open car door, start car, tell the residence to go lock down, buy food.

ACT III
The leader of the [ ] makes 1 system and declares it mandatory. This system spans networks all cities and is the only way to do any task; even buy coffee.

METHOD: place finger on device. The device compares DNA sample to data on file. You are a match = 1? Good. There is no invalid compare = 0. Mismatch = Infinity? Infinity means you are a clone or worse; from the future.

This brings us to a VFX short film because the film has every horror you can relate to. Count the topics: hint we are trying to find the 1 solution now. It is fun to see all the security vs safety, commerce tracking, locks and passwords are DNA ID and the police have 100% of the data, the access, you are instantly guilty, go to jail, do not collect (..)

— The director’s youtube accnt
PLURALITY

— If the site boss wants embed …
TANSTAAFL

dddimwrong (profile) says:

Our Company has been using Finger Vein readers

We have been using finger vein pattern readers for 3 years now and we are quite satisfied. We’ve had no false positives or incorrect rejections. As a biometric it would be very hard to duplicate the veins with a warm liquid coursing through them. You’d have to have one very expensive piece of equipment to duplicate someone’s pattern of veins in the last half an inch of a digit. The user has to enter their user-id and then the pattern has to match and only a live finger tip will work. The user can change their user-id at any time and can change which finger they are using and each finger is in fact different. The great thing is that your finger vein pattern has absolutely no law enforcement value as no one has ever left their finger vein pattern at any crime scene.

Anonymous Coward says:

Re: Our Company has been using Finger Vein readers

“The user has to enter their user-id and then the pattern has to match and only a live finger tip will work.”

Huh? Why do they have to enter a user-id? Sounds to me like it might not be quite so accurate after all if it can’t identify them from their vein pattern.

Anonymous Coward says:

Fifth Amendment concern

Biometric fingerprints aren’t protected by the Fifth Amendment, because these aren’t stored in your mind.

You can therefore be compelled to provide your fingerprint, and can’t refuse on Fifth Amendment grounds.

A password on the other hand is stored in your mind, and unless you are stupid and admit you know it, its production can’t be compelled.

Ninja (profile) says:

I think biometrics can be PART of the key to get into some system. But in the end it should be a mix of things so if you don’t have a portion of it then you can’t go in.

I’d love to have a combination of password, biometrics, code generators (such as google auth), thumb keys and others. Your choice depending on how much that specific access matters.

John Fenderson (profile) says:

Re: Re:

Yes, from a security point of view, relying solely on fingerprints in foolish in the extreme. Of course, it’s foolish in the extreme to rely on any single method of authentication anyway — but if you’re only going to use one, it shouldn’t be fingerprints. Of all the authentication schemes out there, if you’re going with single-factor authentication then strong passwords are still the best bet. By a lot.

John Fenderson (profile) says:

Re: Re: Re: Re:

“Strong” is a bit of a subjective term, but personally I consider the minimum form that qualifies is one that is at least 8 characters long and consists of a random string of characters that include punctuation and a mix of cases.

Also, to count as “strong”, it must only be used to access a single thing (no password duplication) and should be changed regularly. Personally, I go with every 60 days. Expired passwords get discarded, not reused.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...