ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Finger Prints Are Not Passwords

    Scheduled Pinned Locked Moved IT Discussion
    androidfailbiometricspasswordsecurity
    125 Posts 9 Posters 59.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      And thinking of "the Internet" as a big scary entity just doesn't help. It's just a network. It is still individual companies storing data. And the big ones, like the government, are the ones that are least secure in most cases (especially in the US.) There is no security worse than imagined security, that's when dangerous things happen.

      You just need to be realistic. Data about you is being mined. There is data that is highly useful to someone (like passwords) and data that is effectively useless (like your fingerprint.) Sure, if you are insane you can come up with ways to expose your data in ways that would make it easy to harm you. But that's not the cases we are discussing. Using your fingerprint on your phone to log in puts you at no additional risk. If you fear that Google is stealing that data - guess what, they can steal it whether you leverage it or not.

      It's not about you sharing or not sharing, it's about you benefiting or not.

      ? 1 Reply Last reply Reply Quote 0
      • ?
        A Former User @scottalanmiller
        last edited by

        @scottalanmiller said:

        It is still individual companies storing data. And the big ones, like the government, are the ones that are least secure in most cases (especially in the US.) There is no security.

        Where's Your data to back that up? Most of the Municipalities Networks are very secure. It's things like the NSA that think they are IT themselves and manage their own network as hackers (and miss lots of wide open doors) that are really at risk.

        scottalanmillerS 2 Replies Last reply Reply Quote 0
        • DashrenderD
          Dashrender
          last edited by

          One benefit to not using fingerprint or retina, etc is that you can't be compelled to give up a password, you can be compelled to give up your finger/eye to unlock files.

          In the US anyway.

          Granted you need to use a GOOD password, otherwise assuming offline attacks can be done against your data, a shake of Azure and that baby will be cracked in days typically or less.

          scottalanmillerS JaredBuschJ 2 Replies Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @A Former User
            last edited by

            @thecreativeone91 said:

            @scottalanmiller said:

            It is still individual companies storing data. And the big ones, like the government, are the ones that are least secure in most cases (especially in the US.) There is no security.

            Where's Your data to back that up? Most of the Municipalities Networks are very secure. It's things like the NSA that think they are IT themselves and manage their own network as hackers (and miss lots of wide open doors) that are really at risk.

            Where have you found a secure municipality in the US? I've never even heard of a rumour of one, let alone a municipality that was secure at all. I've rarely found a municipality that even hires what we would consider real IT let alone high end IT needed for real security.

            ? 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @Dashrender said:

              One benefit to not using fingerprint or retina, etc is that you can't be compelled to give up a password, you can be compelled to give up your finger/eye to unlock files.

              In the US anyway.

              Yes, and I mentioned this earlier that the US has a specific law that breaks logical security that would otherwise exist. However, be aware that a judge could use the same biometric ruling to compel you to give up passwords as they are actually biometric - it all comes down to interpretation. Not nearly as likely, but in the US the law is what a judge decides it to me. And as there is already a notion of you have to give up "who you are", that your selected password is part of who you are is a logical extension of that.

              1 Reply Last reply Reply Quote 1
              • scottalanmillerS
                scottalanmiller @A Former User
                last edited by

                @thecreativeone91 said:

                @scottalanmiller said:

                It is still individual companies storing data. And the big ones, like the government, are the ones that are least secure in most cases (especially in the US.) There is no security.

                Where's Your data to back that up? Most of the Municipalities Networks are very secure. It's things like the NSA that think they are IT themselves and manage their own network as hackers (and miss lots of wide open doors) that are really at risk.

                I worked for the senate and know that they used unencrypted, public, low end consumer services to pass around the high security passwords. No security, at all. Not even the slightest attempt at it. Since the government can't be sued, it doesn't care.

                ? 1 Reply Last reply Reply Quote 0
                • JaredBuschJ
                  JaredBusch @Dashrender
                  last edited by JaredBusch

                  @Dashrender said:

                  One benefit to not using fingerprint or retina, etc is that you can't be compelled to give up a password, you can be compelled to give up your finger/eye to unlock files.

                  It is not a benefit, you simply need to know how your devices works. I use the fingerprint sensor for convenience. But I know that I can be compelled legally.

                  Because of this, as soon as I go through the initial TSA checkpoint where I need my phone on to scan my boarding pass (yes I could not use my phone and go with paper...) I power cycle my phone and do not enter my password until I am done with security.

                  I do the same for any time I interact with any authority that has the right to take my device.

                  Edit: This is because iOS based devices require the password be manually entered after a power cycle. I have no idea how Android works.

                  scottalanmillerS 1 Reply Last reply Reply Quote 1
                  • scottalanmillerS
                    scottalanmiller @JaredBusch
                    last edited by

                    @JaredBusch said:

                    @Dashrender said:

                    One benefit to not using fingerprint or retina, etc is that you can't be compelled to give up a password, you can be compelled to give up your finger/eye to unlock files.

                    It is not a benefit, you simply need to know how your devices works. I use the fingerprint sensor for convenience. But I know that I can be compelled legally.

                    Because of this, as soon as I go through the initial TSA checkpoint where I need my phone on to scan my boarding pass (yes I could not use my phone and go with paper...) I power cycle my phone and do not enter my password until I am done with security.

                    I do the same for any time I interact with any authority that has the right to take my device.

                    Edit: This is because iOS based devices require the password be manually entered after a power cycle. I have no idea how Android works.

                    yes, I love that feature. There is a VERY quick "off" button that lets you lock the device and keep people from compelling you to use the fingerprint feature. It would be nice if you could do something further, like use the wrong finger to perma-lock it too. But the power cycle trick is pretty fast and easy.

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller
                      last edited by

                      Also this makes it important to note that the fingerprint stealing issue (which was Android, not iPhone) would only work against an iPhone if you had the shim AND you did not have the device lose power. In theory you could keep it from ever powering off, but it is an extra level of security. If you leave your device somewhere and it power cycles, a biometric hack like the one in the OP would be useless. So that reduces the effectiveness of it.

                      1 Reply Last reply Reply Quote 0
                      • MattSpellerM
                        MattSpeller
                        last edited by

                        This has been an invigorating chat but I'm still against biometrics - I think the potential for abuse is astronomical.

                        JaredBuschJ scottalanmillerS 2 Replies Last reply Reply Quote 0
                        • JaredBuschJ
                          JaredBusch @MattSpeller
                          last edited by

                          @MattSpeller said:

                          This has been an invigorating chat but I'm still against biometrics - I think the potential for abuse is astronomical.

                          Again, how can this be abused?

                          First, if I set up an Apple iPhone 6, Samsung Galaxy (whatever), and a Sony Experia with my authorized fingerprint scan.
                          Second, assuming that the same man in the middle shim was able to be put in place on all three devices.
                          Third, the hash of your fingerprint will not be the same, the stolen hash will only work on the original phone.

                          Biometrics are not any more or less secure than anything else.

                          MattSpellerM 1 Reply Last reply Reply Quote 1
                          • scottalanmillerS
                            scottalanmiller @MattSpeller
                            last edited by

                            @MattSpeller said:

                            This has been an invigorating chat but I'm still against biometrics - I think the potential for abuse is astronomical.

                            Okay, being against them as a concept is fine. But not using them makes no sense no matter how much you fear them conceptually. You have to channel the fear into something practical, not into hampering yourself while not protecting yourself.

                            I agree, there is big potential for abuse. But pretty much all of that potential is around governments and what they allow to be done with them. We could have the same fear about anything. What if the government decided that your password was an ID and anyone using your password qualified as you?

                            The fear is real. But I think that the reaction to it is the issue - how does your reaction help protect you from the thing that you fear? It's a bit like fearing drowning so refusing to eat fish.

                            1 Reply Last reply Reply Quote 0
                            • MattSpellerM
                              MattSpeller @JaredBusch
                              last edited by

                              @JaredBusch said:

                              Again, how can this be abused?

                              Your scope is too narrow and short term. I'm not concerned with today's phones.

                              @scottalanmiller I have no fear about these things, I am simply thinking longer term. There is no substantial gain to using these technologies at present (at least I've yet to see how they are any more secure than a decent password, maybe I've missed that). I'll wait a while and watch and see.

                              A concern that, while I confess is an outlier, is that these companies own that data. Is it so difficult to imagine a scenario where your personal data would be sold to the highest bidder? Despite all promises for decades by that company?

                              http://www.forbes.com/sites/paularosenblum/2015/03/24/bankrupt-radioshacks-attempts-to-sell-customer-data-meets-resistance/

                              scottalanmillerS 2 Replies Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @MattSpeller
                                last edited by

                                @MattSpeller said:

                                @scottalanmiller I have no fear about these things, I am simply thinking longer term. There is no substantial gain to using these technologies at present (at least I've yet to see how they are any more secure than a decent password, maybe I've missed that). I'll wait a while and watch and see.

                                You see no substantial gains to be had because you are looking only from the value perspective of enhanced security, not increased usability. I thought a finger print scanner was the dumbest thing until I ended up with an iPhone that uses that. Now I realize that it is just about the best thing ever added to a phone and simply will not buy a phone without it anymore and have considered upgrading my iPad based on no other need! Once you have "always locked / instant on" devices, you realize the value of a "presence based unlocking" system like people used to try to do with badge proximity sensors.

                                It's not about "more" security. Phones are not highly secure devices. It's about more useful security. I now lock my device, I didn't used to, because it was too cumbersome to unlock. The security gains for me have been huge, as they are for a lot of users.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @MattSpeller
                                  last edited by

                                  @MattSpeller said:

                                  A concern that, while I confess is an outlier, is that these companies own that data. Is it so difficult to imagine a scenario where your personal data would be sold to the highest bidder? Despite all promises for decades by that company?

                                  So, just to be clear, you are fearing that these vendors are stealing your biometrics today and will then sell that stolen data (a sale that could put people in jail since hacking is a massive offense and that's what we are discussing) to someone who will then use it to do illegal things with your identity?

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller
                                    last edited by

                                    I get the fear that all these companies are actively stealing data off of your phones. I doubt that they are, but they might be. But stolen personal data is a pretty risky thing to sell. That I see as a pretty extreme fear.

                                    Not that it wouldn't happen. But to be clear, I see this as a lesser or at least equal fear to these companies directly harvesting all private data, including passwords, off of your phone and selling them. So unless you also are unwilling to use passwords, I'm unclear as to the concern. Your passwords, passwords style and password patterns are biometrics just like your fingerprint. You can try to change them over time, and can more easily change them than your fingerprints, but the value of selling a password is thousands or millions of times higher than selling your fingerprint (for now.)

                                    So if you fear this behaviour, wouldn't using your fingerprint be the logical response to that fear rather than the thing to avoid?

                                    MattSpellerM 1 Reply Last reply Reply Quote 0
                                    • MattSpellerM
                                      MattSpeller @scottalanmiller
                                      last edited by

                                      @scottalanmiller For the difference of a few seconds I'll keep using a password. As to who owns what etc, I'm curious enough to go find out. I will report back later with my findings.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • ?
                                        A Former User @scottalanmiller
                                        last edited by A Former User

                                        @scottalanmiller said:

                                        Where have you found a secure municipality in the US? I've never even heard of a rumour of one, let alone a municipality that was secure at all. I've rarely found a municipality that even hires what we would consider real IT let alone high end IT needed for real security.

                                        Just because you've never seen them or worked for them doesn't mean they don't exist. You make a lot of blanket statements without knowing the facts. I guess we should all just quit our govt jobs and go work at the local fast food chain as we aren't IT pros in Scott's book.

                                        scottalanmillerS 2 Replies Last reply Reply Quote 0
                                        • ?
                                          A Former User @scottalanmiller
                                          last edited by

                                          @scottalanmiller said:

                                          I worked for the senate and know that they used unencrypted, public, low end consumer services to pass around the high security passwords. No security, at all. Not even the slightest attempt at it. Since the government can't be sued, it doesn't care.

                                          Only the Federal Government Can't be sued. You can infact sue local governments and many state governments.

                                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @MattSpeller
                                            last edited by

                                            @MattSpeller said:

                                            @scottalanmiller For the difference of a few seconds I'll keep using a password. As to who owns what etc, I'm curious enough to go find out. I will report back later with my findings.

                                            But why, what's the benefit? Sure, it costs you a few seconds, everytime you use the device. But you've not explained the downside to the fingerprint. If they are going to steal it, it's already gone. If they aren't going to steal it, isn't to your benefit. Where is the additional risk?

                                            MattSpellerM 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 5 / 7
                                            • First post
                                              Last post