DailyDirt: Breaking Bad... Passwords

from the urls-we-dig-up dept

Passwords are everywhere. They get us access to our phones, computers, email, social media accounts, cloud storage accounts, banks accounts... just about everything important (and unimportant -- which is part of the problem with passwords). You might think you're clever by choosing a 4-digit PIN that doesn't look like a birthday date or year, but if you're using 2580 and think you're smart, think again. If you'd like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.

Filed Under: dongle, fingerprint, logins, passcode, password-free, passwords, pin, security, tokens
Companies: google, yahoo

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    jilocasin (profile), 25 Mar 2015 @ 8:00am

    Biometrics aren't magic.

    I do wish people wouldn't think of 'biometrics' (ex: fingerprint, iris, etc.) as some kind of security magic. It isn't.

    Before _any_ biometric can be used it's converted into a string of values. What we know of as a _PASSWORD_.

    The only differences between a _biometric_ and a standard password are:

    you can't loose it (well, unless you loose an eye, or a finger)

    you can't forget it (see above caveats)

    after being _processed_ it's generally stronger than a typical password (nothing is stopping the finger print to password algorithm from doing something silly like counting the number of ridges and wholes)

    you can't change it (most people only have 2 eyes, 10 fingers, etc.)

    you are leaving copies of it everywhere

    the cops, or the _bad_guys (yes, sometimes that's redundant) can easily force you to disclose it.

    Currently most of the work in cracking biometric protected systems has focused on replicating the biometry (fake finger, picture of subject, etc.) Personally, I think that's a fools errand.

    Make a finger print reader, someone makes a fake finger. Add _life_ detection, someone makes a fake fingerprint and puts it on an actual finger, etc. Rinse lather repeat.

    Alternatively, apply the algorithm the finger print reader uses to a copy of the fingerprint (or take a page from the Target credit card hackers and copy the actual generated code from the back end of the finger print reader itself.

    Inject the computed code (a.k.a. password) into the system, BINGO you are in. Until they change the algorithm that generates the code it doesn't matter HOW GOOD the reader gets at figuring out if it's the real person, in the end it's just computing a password based on the biometric seed.

    Science fiction has figured this out awhile ago. In any book/movie/television show whenever you see the person pry open the iris scanner, fingerprint reader, etc. and connect a (usually hand held) computer directly to the innards, that's just what they are doing. Skip the biometric to password generation to send the password directly to the system.

    Biometrics aren't _better_than_passwords_, they _ARE_ passwords.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.