After finally finishing an article about how you should ditch passwords for passphrases (from a /. story of course) I have a couple of questions. The first of which being: If people don't type too much, how are they going to enter in a 42 character phrase (getting case and specal chars correct) if all they are seeing is stars?? **** And then what happens on the 5th incorrect login? You get locked out? Nice.
I love how security experts keep stalling until biometrics are mainstream. It's quite amusing.
ReplyDeleteBiometrics are mainstream. You can now buy a keyboard with a fingerprint scanner built in. Right from your computer store in the mall. The problem is, is that biometrics are not the be-all and end-all of computer security. Passwords are nice. You can change them, you can use different ones for different things. When used properly, passwords are a very good security device. The major problem with biometrics, such as fingerprints, is, well, you can't change your fingerprints. I can always make my password longer, change it every 3 days so there is little chance of a brute force attempt, and do many other things to make it more secure.
ReplyDeleteIf you want to see another problem with finger prints, go to the slashdot story that I linked to and search for "gummy bears". People have linked to really interesting "work arounds"
ReplyDeletehttp://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/
Nope, biometrics are not mainstream. Mainstream is considered to be the most prevalent medium being used and most people don't have finger print scanners on their keyboards. Bear in mind that what we consider reality might actually be a dream and what we actually see in the movies is the true reality then it is quite possible that biometrics are mainstream. This reply will self-destruct in 5 seconds...
ReplyDeleteWhen I can log into Amazon with my voice/fingerprint/toeprint/retina scan then I might say that biometrics are mainstream.
ReplyDeleteWhy in the hell would you want to change your fingerprint? You have a point if you are psycho James Bond and you're talking about people brute forcing fingerprints using some super-scifi, fake fingerprint lens and putting it on the end of their finger. But other than that, fingerprints are supposed to be unique to you, so i'm confused.
ReplyDeleteWow, that's crazy about the gummi bear thing. Unfortunately, i started writing my previous response before the morning meeting and posted it after you posted about the gummi bear trick. The uniqueness of fingerprints is insignificant, if a fingerprint isn't uniquely mapped to a person. Darrr! Go Retina!
ReplyDeleteI think that for any biometrics the argument can be the same: once your finger print (retina, ...) is compromised you can't ever make is secure.
ReplyDelete2 scenarios:
1) You verify yourself with the same password everywhere. The places that have a copy of your password are all trusted. One place is broken into (or am employee steals info) and your password is sold to the highest bidder. What do you do? Change your password.
2) Same idea as above, but now you can't change your password. You can no longer use your fingerprint to verify who you are. Damn.
The assumption that people who love biometrics have is that your finger prints, retina etc. can't be faked out in any way. Right now they can, so that's where everything breaks down.