Biometric fingerprint reader

Mark · April 25, 2013, 10:19:19 AM

I'm being asked to look into these for password management. Does anyone have experience or recommendations? I've played with these for a class in college, but I'm sure much has changed since then.

Jeff Zylstra · April 25, 2013, 10:31:34 AM

Quote from: Mark on April 25, 2013, 10:19:19 AM
I'm being asked to look into these for password management. Does anyone have experience or recommendations? I've played with these for a class in college, but I'm sure much has changed since then.

I had an employee who used a Microsoft unit for while, and seemed to like it OK. It was old and I don't think I installed on the newest computer that she got, but it worked well for her when she had it. I'm sure they've gotten even better. As I remember, it worked with about 98% of websites and other passwords required, but didn't work well with non-browser (software) based password requirements. Things like Applied and the like it wouldn't recognize.

Jeff Golas · April 25, 2013, 02:18:58 PM

Some of the sales guys use them on their laptops, but in my experience, they were more of a PITA than they were worth. I actually ordered my laptop without it.

Jim Jensen · April 25, 2013, 02:26:40 PM

My Lenovo laptop has one and it's been problematic. It failed frequently and was replaced at least twice but currently isn't recognized by the computer as even being there. I quit bothering to try. I would assume that a USB-driven unit is more robust - I see them in use at the grocery store all the time. However, I've no experience with any other than what came on my laptop.

Mark · April 25, 2013, 02:31:32 PM

You know, I asked around and Googled, and I think I am just going to squash the idea. I am not even a fan of your regular password managers -- even though I know there are some "good" ones out there. I just don't like the idea of passwords being saved locally.

Yes, I know that lusers ARE putting them in spreadsheets, so I can see that there is no perfect solution.

This was requested as an efficiency thing -- not a security thing.

Jeff Golas · April 25, 2013, 03:38:41 PM

What exactly were they trying to accomplish/solve with this?

I've been finding more and more that management in general tends to try to solve the problems themselves and have us implement the (usually incorrect or inefficient) solution, rather than hand us the problem to solve.

Mark · April 25, 2013, 03:48:51 PM

Someone just read an article about how "efficient" these things can be. She decided that swiping your finger would save thousands of keystrokes and every keystroke saved can increase efficiency (that part I wont argue with). I mentioned that I didn't know how well it would work out but if she really wanted to, we could run a small pilot and see how well they work in real life.

Pretty sure she's thinking no more password typing, period.

Why did I offer to do a pilot? Would rather spend the money ~~at TENCon~~ elsewhere.

Conan_Ward · April 25, 2013, 03:58:52 PM

Though it doesn't save keystrokes, could invest in typing classes to bring up everyones WPM, imagine the time savings accross the board there!

As long as it doesn't try to default in for tam, should be ok. I know we've had our share of issues with things to try and input passwords for TAM and i'm not sure if i've heard of one that works.

Back on password managers, being stored locally is kinda a moot point if its encrypted, unless you mean for access to it. It certainly helps some days...

Mark · April 25, 2013, 04:09:59 PM

Encryption = Security by Obscurity

Security by Obscurity != Secure.

Obviously, encryption is a good thing. Just not always a solution. A password manager or even ~~better~~ worse a server based password manager with central storage is going to be my target if I am malicious. And with the power of today's GPU's, Rainbow Tables, etc.

I think you get my point. None of this is a real solution in my opinion.

They all have their evils. At least a password manager that is not client/server based would only theoretically compromise a single user, but the server based ones being compromised is like the holy grail (side note: my brother got a replica of the holy grail from Indiana Jones for his birthday. /ADD).

I know I'm getting a little carried away, but I'm not very far off. How many of you are using a password of 16 characters or more? forget weather your password is in a dictionary or not. forget 8 or even 14 character passwords. Welcome to 2013. /soapbox (and sorry about the tangent).

Edit: TAM passwords are not even case sensitive.... $:-\$

Jim Jensen · April 25, 2013, 04:27:55 PM

I have a couple that are about 19 characters AND not words in the dictionary (really fun to type in on the iPhone). Sadly, many of the insurance carrier portals still have restrictions of 6-8 characters only. One even specifies where the number must be and the position that must have 1 of about 5 possibly special characters. Essentially they make it impossible to have a password that you don't have to write down somewhere. Heck, it's hard enough just creating one that fits their requirement.

Mark · April 25, 2013, 04:29:32 PM

I hear ya.

Conan_Ward · April 25, 2013, 04:42:56 PM

Ok, the one i use is 256 bit AES encrypted.
Did a search on brute force cracking of something of that level.
" Breaking a symmetric 256-bit key by brute force requires 2128 times more computational power than a 128-bit key. A device that could check a billion billion (1018) AES keys per second (if such a device could ever be made - as of 2012, supercomputers have computing capacities of 20 Peta-FLOPS, see Titan. So 50 supercomputers would be required to process (1018) operations per second) would in theory require about 3×1051 years to exhaust the 256-bit key space"

So you know what, with the power of todays stuff, I feel relatively secure that someone isn't going to be able to brute force open my password manager file without having a fair amount of resources kicking about and if they did, it probably wouldn't take every single combination to crack it, but if they did, well, good for them. I think in most cases, stealing the hashed password table from whatever service i had the password with and testing other sites for password reuse would probably be a better strategy. Keep in mind, that the password manager has multiple ways to secure itself other than a password in, or encrypting each piece of information in the file separately.

I tried a 16+ once, i'll be blunt, it was too unwieldy, though i could have made it easier by making it something I could remember

. I do have one that comes close, has a good level of security to it, and is something I can remember. I would consider it fairly secure, with the assumption that nothing is ever truely secure.

As for what I use, http://keepass.info/help/base/security.html shows the various methods it uses to make it that much harder to compromise it. Memory dumps, the ability to turn on protection against keyloggers, etc? I am fairly confident that they would find other ways to get my information before they crack the database file itself, especially since you can protect it with more than a password for initial entry.

It kinda goes with Jim's comment on hard to remember some passwords due to the specifics. I'd trust keepass over spreadsheets, password protected onenote files, or the the infamous sticky note

Given my position, i'm not sure i'm the best person to talk about TAM security...MOVING ON...

Mark · April 25, 2013, 04:52:18 PM

No worries, Conan. I know I was on a tangent, but I see stuff about this almost everyday. While you are correct about your 256-AES, AES has been cracked years ago, so the technology is improving everyday and all we do is stay one step ahead (bits keep increasing, etc). Obviously encryption is good, it's just not an end all solution.

I wasn't trying to dig on TAM either. Just making my point. It's been a long day and I'm thursty now.

Conan_Ward · April 25, 2013, 05:04:08 PM

Darn, and i was about to rag on Chrome's saved password feature (settings, advanced settings, manage saved passwords). I mean, if I had access to a local machine, given how widespread it's use is...I could have sworn it used to have an option to export them too. Might be imagining that, given chrome auto-updates, not much of an issue now.

As I was kinda saying, encryption, better than nothing and still can be resource intensive. Usually theres softer targets to hit when you have that kinda access. Plus in another security through obscurity method, you'd have to have some reason to get targeted if things aren't being picked up via a hit on a large database.

I know what you were getting at with TAM...you can probably guess where I stand as well.

Related: I had a website do a forgotten password with the full password in plain text the other day, gave me a shock...was not too happy with that.

Gene Foraker · April 26, 2013, 11:43:07 AM

I love this oldie: