passwords

passwords, privacy, technology

Biometrics scares people, makes them happy.

Biometrics scares people* (Network World)
Perception of biometrics tends to be rather negative because it’s personal and physical, says Lockheed Martin’s biometrics division director.

How to find happiness in a world of password madness (PC World)
The beauty of biometrics is that you don’t have to remember anything at all, much less a complex password.

*Since I was a tad critical of Ellen Messmer‘s take on rapid DNA in the previous post it’s only fair that I single her out for praise for this highly enjoyable and thorough article.

fingerprint, passwords

Are laptop fingerprint sensors about security or convenience?

Popular fingerprint reader stores Windows passwords unencrypted (TechSpot)

ElcomSoft, a Russian digital forensics firm, has revealed a major vulnerability in UPEK Protector Suite, a popular biometric security solution that has shipped on machines from practically every large PC vendor, including Acer, Asus, Dell, Lenovo, MSI, Samsung, Sony and Toshiba. According to the researchers, the flaw makes UPEK’s fingerprint reading software less secure than using Windows’ standard password option.

Read the whole thing.

I haven’t used the service in question lately, but the last time I used the UPEK setup, it was pretty clear that it was a biometric password manager. Until and unless a particular web service uses biometric authentication with authentication taking place on their own servers (and astonishingly few do), the fingerprint reader on a laptop is only ever going to be controlling a password management program.

Still, a fingerprint password manager can make better password habits more convenient, making it easier for users to cope with longer, more complex passwords and change them more frequently. But the UPEK setup described in the article meant that the passwords were stored in such a fashion that they weren’t necessarily bulletproof.

As the article points out, if you’re already encrypting your hard drive, this security situation may leave you more vulnerable than you thought. If you’re not, this method of managing passwords seems much more secure than storing them in an unencrypted text or Excel file.

access control, hardware, logical, passwords, schools

Schools should consider biometrics to protect personal information

Schools put pupils’ information at risk (The Telegraph)

Schoolchildren’s addresses, routes to school and even fingerprints are at risk of exploitation because nearly half of schools have no policy for handling pupil data, researchers have found.

If schools are unable to keep data secure, biometric template information is the last thing that should concern parents.

As the article points out, schools also keep academic records, behavioral records, medical records, socio-economic assessments for administering school lunch programs, home address information, counseling notes and a ton of other information that is much more sensitive than a fingerprint template consisting of a string text characters that cannot be used to learn anything about a student.

Too often, news accounts use biometrics as the ultimate example of private information and the hook on which to hang all sorts of fears the reader is supposed to imagine — i.e. part of the problem — when they are actually part of the solution. Because biometrics are far superior to usernames and passwords for securing personal information, I’d suggest that all electronic access to student information should be controlled biometrically.

Biometrics provide for far more secure information because the biometric sensor hardware itself provides a layer of protection that a keyboard never can provide passwords. In the standard Username/Password regime, the hardware used, the keyboard, offers no additional security. With username/password authentication, a hacker needs only a keyboard to fill in the proper fields and she gains access to the network. If that username/password is a superuser or administrator credential, an organization may see some turnover in the CTO function.

Biometric authentication is very different animal because with biometrics, the hardware layer does provide extra security. If the hacker steals a biometric or unencrypted biometric template (a long character string), she can’t just type it in even if she finds the place in the programming that handles the template. It has to come from the fingerprint sensor. The template resulting from a verification attempt is like a single use password created during the interaction of a physical object (body part) with certain known sensor.

DARPA, passwords, technology

Biometric passwords feature in list of 15 awesome DARPA technologies

15 Advanced Military Research Projects That Will Change Your Life (Business Insider)

The Defense Advanced Research Projects Agency (DARPA) gets a ton of funding to develop the science and techological future of the military. This is the agency responsible for GPS, the internet and stealth planes. They’re the real deal.

We looked at their active projects to find the ones that might have massive civilian implications if they eventually produce real-world tech. For this round, we focused on only their Defense Science Office and their Information Innovation Office, two of six DARPA branches.

There’s some really cool stuff there, much of it to do with speech/language and blood.