You might think the title of this blog is such a click-bait! Who in the world would dare use a one character password you say! This dude is rambling again on a beautiful afternoon!
Well only the rambling part is true, as with all my posts I can only blog when I have settled life’s many priorities.
But back to the title, it is no joke for I see more and more users going down this path of using a single character password to protect their most treasured banking transactions, access to their mobile phones etc.
I’m talking about the use of fingerprint based biometric logins. (I have previously
blogged rambled about this.)
The similarities I see with using a single fingerprint that can easily be stolen is comparable to using one character key from your keyboard as your password. In some cases I think the keyboard method might actually be safer! Here’s why:
One Character Password:
You have to guess 1 out of 94 characters.
(Assuming 26 upper case, 26 lower case, 10 number and 32 symbols).
You only need 1 out of 10 fingers *
(*Available all over your coffee mug and on the phone itself! Don’t ever think just because it’s unique it’s safe.)
So referencing my previous post on how safer passwords involve length and complexity; it’s funny why a single fingerprint is still acceptable when a single character password is not. I strongly vote for someone to give me an option to use multiple fingerprint combinations per login attempt!So hypothetically if your mobile phone is stolen, I just have to find out which of the 10 fingerprints is registered, and probably guessed it’s your right index finger. Instead if you use just one character on your keyboard, I would have to guess which of the 94 is true!
PS: Apple iPhone X is out! No more fingerprints! But now any 3-letter-GOV-agencies don’t even have to force you to remember your passwords or pull your fingers off to scan. They just have to show you your phone and say “Do you recognize this phone? *unlocks* Thanks we’ll take it from here.” Great!
Today’s news has been about how bad an idea was to use fingerprint as a login mechanism (Ars Technica). Apple’s iPhone had a similar mechanism and it was broken in 48 hours by someone swiping a lifted fingerprint (Ars Technica, again). Mythbuster had an episode whereby the latest in fingerprint locks (fingerprint+pulse+heat+skin conductivity) was broken by having someone lick a plastic mold of a fingerprint.
In short: Passwords can be changed, fingerprints can’t.
But I disagree that fingerprints can’t be used as a convenient way to grant authorized access. It’s only the current implementation made it simple and easy to break. Sure you leave fingerprints all over the place, and once someone has your prints it becomes impossible to change it. But no one say it has to be just 1 print per scan.
A better way would be to adopt common good password practices, instead this time we apply it to number of fingerprint swipes.
- Password length = fingerprint swipes
- Password complexity = random fingers (we have 10, take a pick)
- Password history = length + complexity combo history
- Example: Fingerprint password of 3 length + complexity = Left Thumb -> Left Middle -> Left Pinky finger. 3 swipes.
This way even when someone has your prints they have no idea which finger you use, for how many swipes, or in what combination.