Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unhashable: Why Fingerprints Are Weaker Security Than Passwords (hackaday.com)

Posted by Soulskill on from the but-i-carry-them-with-me-almost-everywhere dept.

szczys writes: Fingerprints aren't terribly secure; you leave them on almost everything you touch. Many people won't realize that fingerprints can be captured and reproduced from casual photographs. It's actually worse than that. The very method with which fingerprints are stored is much weaker than passwords. Fingerprints cannot be hashed. By their very nature, each read of your fingerprint will be a little different, which breaks the hashing method. They can only be stored using encryption, which requires the same master password each time a new print read is compared to the stored key — a much weaker method than salted hashes. This more easily opens fingerprint credentials up to theft and brute forcing.

6 of 242 comments (clear)

  1. Bad practice. by Aethedor · · Score: 5, Insightful

    Using a fingerprint for authentication is like using one unchangable password for every system. Bad practice!

    --
    It doesn't have to be like this. All we need to do is make sure we keep talking.
    1. Re:Bad practice. by jafiwam · · Score: 5, Insightful

      Using a fingerprint for authentication is like using one unchangable password for every system. Bad practice!

      Not to mention fingerprint authentication or encryption is not Fifth Amendment protected.

    2. Re:Bad practice. by DaHat · · Score: 5, Interesting

      You can't, but interesting things may be able to happen if you fail to disclose which finger will unlock the device.

      Maybe your right ring finger is what you use to login, but not having specific knowledge of which finger you actually use they have you try your thumb pointer finger... not knowing that your device treats that as a panic button and not only wipes out memory of the old finger print, but also remaining hope of them unlocking the device with or without your help.

      --
      Help Brendan pay off his student loans
  2. Re:What does this mean for biometrics in general? by Anonymous Coward · · Score: 5, Insightful

    It means that biometrics should be the username, not the password.

  3. Fingerprint are not passwords by throbber · · Score: 5, Insightful

    Fingerprints, in fact all biometrics, are not passwords -- they are usernames.

    In the 'perfect' security combination of { something you are, something you know, something you have }, they are the "something you are" part.

  4. So I know something about this.... by FrankSchwab · · Score: 5, Interesting

    Finally, a slashdot topic where I can be informative. Disclaimer: I work in the industry building fingerprint sensors.

    Fingerprints aren't perfect security. As so many others have pointed out, you leave them everywhere. That doesn't mean that they're not useful.

    1. It's extraordinarily difficult to create a fingerprint spoof from a latent print. Yes, there are people who can do it - I can do it - but it's not easy. Notice on the videos of breaking into the iPhone 5s or 6 that latent prints are taken from a single fingerprint placed carefully on a squeaky clean screen. On your average phone, not so much. Someone who picks up my phone off the seat in a subway will be incapable of breaking in - unless I've just cleaned the screen with windex and carefully placed my fingerprint on it.

    2. A fingerprint on a phone makes an excellent two-factor authentication system. The average hacker in east Elbonia can't break fingerprint security - because they don't have my phone or my fingerprint.

    Perfect? No, but strong? Yes.

    --
    And the worms ate into his brain.