Mythbusters Beat Finger Print Security System

[truthiness]

http://www.youtube.com/watch?v=oXyFmieZjiE

[DIGITALgimpus]

Fingerprint scanners were never really marketed as "more" secure, or even being "secure". It's just convenient. Sadly some people are to stupid to read:

* Reduced complexity: Unlike the dozens of passwords required to access computers, web sites and corporate applications, a fingerprint cannot be forgotten, misplaced or shared.
* Enhanced security: Personal computers today often store sensitive and confidential data. They are also the access point to corporate networks. As systems become smaller and more mobile, they are more at risk of being lost or stolen. Use of a fingerprint reader in combination with a password offers a much higher level of authentication security for access to data or networks than can be achieved with a single form of authentication.

[BigWarpGuy]

Even though they got in, they alarm went off. Would it still be a success even if the alarm goes off?

[Thinkpaddict]

It actually seems to me that the fingerprint reader might be a less secure method than regular passwords, seeing as anyone persistent enough and with access to the necessary means can lift a fingerprint off your laptop and create a fake fingerprint that will fool the scanner.

[Turbo Audi]

I still love my FPS!

[DIGITALgimpus]

It actually seems to me that the fingerprint reader might be a less secure method than regular passwords, seeing as anyone persistent enough and with access to the necessary means can lift a fingerprint off your laptop and create a fake fingerprint that will fool the scanner.

Yea, but with the time required, you could also use the equiv. software to crack passwords.

Same time, and less effort.

That's why the only real security has multiple aspects to it.

[jdhurst]

<snip>
Yea, but with the time required, you could also use the equiv. software to crack passwords.

Same time, and less effort.

That's why the only real security has multiple aspects to it.

True, but with some caveats. It takes one computer some months of time non-stop to build rainbow tables that will readily crack a secure password. In addition, such tables need 20 or so Gb of space on a hard drive. I carry around the short tables (3Gb) that only took 8 days to build, but such tables cannot defeat my own passwords.
... JD Hurst

[DIGITALgimpus]

Computing power increases at such a rate that it gets easier and easier....
http://www.lockdown.co.uk/?pg=combi&s=articles

And note faster computers drop those times quite a bit. Get a tool that can multithread on dual xeon workstations... and yea, you get the picture.

Now imagine 2 years from now. Remember exponential increase in CPU power.

Having 1 factor security is never very good. If you have:
1. Something you remember (password)
2. Something you are (fingeprint)

Your much more secure. 2 methods need to be employed to crack. It's much more work.

For extra security:
3. Something you have (SecureID, keyfile, etc.)

Obviously makes things even more secure.

[Thinkpaddict]

Me, personally, I don't worry too much about what type of breakable security method I will be using, because I know that when whoever steals my Thinkpad can't access it he will either smash it in the wall in frustration, or sell it for parts in eBay. Either way, it's all the same to me.

[Thinkpaddict]

Computing power increases at such a rate that it gets easier and easier....
http://www.lockdown.co.uk/?pg=combi&s=articles

And note faster computers drop those times quite a bit. Get a tool that can multithread on dual xeon workstations... and yea, you get the picture.

Actually, I think you are being overly optimistic.

Notice in the link that you provided that, in the case of the 62 character alphabet (for example) every character added to a password multiplies its strength by a factor of 62. Also notice that in a Thinkpad, as far as I know, all three passwords (supervisor, power-on, and hard drive) can have a maximum of 64 characters of length.

In the link that you provided, in the table for the 62 character alphabet, calculations stop at 8 characters, and this yields 218 Trillion combinations, which according to that information currently would require about 2 months for a large network of computers to crack.

Now imagine you set up your power-on password as a 64 character string of characters in a 62-character alphabet (lowercase and uppercase letters, and numbers). This would yield 62^64 combinations. (That is 62 raised to the power of 64.) xCalc gives me an approximation of 5.16497 * 10^114 combinations. I am no expert, but it seems to me that even using the fastest supercomputer available right now (assuming 100,000,000,000 combinations processing/sec), it would take much longer to break such a password than the current age of the Universe.

In conclusion, no way is the fingerprint scanner an added layer of security, assuming you use strong passwords.

The problem is the way the fingerprint scanner has been marketed by IBM (and then Lenovo). It isn't really a security feature, but it is rather a convenience feature.

I personally have never liked the fingerprint scanner, because I've never thought it was that secure, and because it is something more that can malfunction or stop working altogether (with obviously bad consequences).

My advice? Keep a strong password in one or two USB keys. You can also craft it from the first letter of all even pages in a specific book in your library (for example). Like I said, I'm not all that concerned about security since I don't keep sensitive data on my computer. I would be more concerned about losing the Thinkpad itself really.

[christopher_wolf]

There is no security system that cannot be broken with enough time and cleverness. Rather, what you want to do if securing a computer is the goal is severalfold;

1.) Reduce the time window in which a potential attacker may have the ability to connect to the system in question and apply any given technique; this preventive measure can be manifest, for example, as a login window with a timeout period. Keep in mind that the more time that the authentication portal remains open to the environment, the higher the chances that it will be cracked.

2.) Given that you know the characteristics of the user and the aobve (i.e. how they login), you can generate a password of acceptable length and entropy such that it will make cracking the security system, within the aforementioned window of time, virtually impossible. This is essentially the same way that OTP works in that you, ideally, never give potential attackers enough time to figure out the behaviour and communication between the users and the robust security system. It is akin to a competitive evolutionary game; as such, one is rewarded for always mutating/changing and moving ahead at a decent rate; such as changing passwords per interval of time.

3.) The above is fairly idealized and would not really work if, for example, you tried to force people to remember 64 character, purely random passwords that changed every week. That may give you good security in theory and on paper, but would fail because of a very crucial element/peripheral, the user (funny how users appear to be the cause of many problems...but I digress). They would probably write it down somewhere, then lose it or forget it, or even trade it in for a cup of coffee or chocolate (such studies have been done using the trade-credentials-for-coffee/chocolate approach and they have worked well). This is where the FPR comes in and is *really* meant to get things done in a better way. With the FPR, and naturally this has its limits but that is beyond the scope of this particular discussion, you can generate very many passwords for a number of different systems that the user has to remotely log into as well as for the Thinkpad itself. Is the user going to be more apt to use a high-entropy, high-character count password that may change every month if they can do so with the swipe of their finger? Of course they are. Now you can, obviously, make a copy of the fingerprint and try to attack the system like that but that will only be, at a minimum, as difficult as getting the fingerprint and understanding how it is read by the biometric device. As such, this layer of user-interaction security is only as good as the robustness of the fingerprint reader itself. However, this is fairly strong compared to most passwords in use today; remember that you have to get the full fingerprint of the user, on the correct finger, come up with some way to print that on a substrate that has the ability to fool the FPR by mimicking certain characteristics of a human finger, and then make sure it works within a few swipes (unless you want 3 bad authentication attempts to be flagged by the system, a lockdown, and a possible alert sent out to the network).


In that sense, the FPR and CSS can be thought of as a very tightly paired security system that gives the user a higher level of abstraction when it comes to entering passwords/passphrases whilst still maintaining the ability to quickly change and adapt to a new password without forcing the user to remember all the details as such. Such abstraction is also why, most, application developers and software engineers tend to program in languages, such as C++, that have a higher level of objects and abstraction over that of assembler and/or bare machine code. Of course, that doesn't mean one *can't* do that, just that it is difficult or impractical to do so efficiently and quickly not to mention its dependence on the situation (coding drivers? coding applications to talk with outside custom hardware with a custom API? Etc).

So the MythBusters episode was fun in the sense that it was an adventure and they applied, mostly, solid thinking to it; but how likely is an attacker going to be able to do what they did in an operational setting? They weren't testing the overall security of a network for a corporation or institution, all they focused on were technical details regarding ways to spoof the fingerprint reader. This kind of stuff is fun to do in the lab, but is far out of context when you look at how one could go about applying it in a real-world setting.

[Thinkpaddict]

I see your point about the fingerprint scanner being perhaps more useful in a real-world setting than what the Mythbusters episode led to believe. But I still think it is not a security feature, rather I think of it as a convenience feature. By saying this I don't mean that the FPR is not a security feature per se, however it is a security feature that doesn't improve on the level of security that you can achieve using strong passwords. Even more, I think it is a weaker security measure when used by itself.

If you are really worried about the security of your data, then use a strong set of passwords. If you don't care about the security of your data, then just use a simple password that will prevent most anyone from finding out whether you prefer puppies or kittens, or from breaking into your porn stash.

I think the fingerprint scanner is high on the cool factor, don't take me wrong. I just don't see its usefulness. It is neither safer than strong passwords, nor more convenient than short passwords (or no passwords at all).

[christopher_wolf]

That depends on the defintion of security; you can have all the latest and coolest technology, inculding high security in the world, but if the users are themselves being careless wth their credentials and passphrases/passwords, then it is all for naught.

In that sense, the FPR can be considered a very useful security tool. Simply by making it easier for the user to enter a larger credential set faster, it prevents "cheating" and most, if not all, cases of writing passwords down on stickies behind the keyboard. This is a good thing for the business side as most such users tend to do *just* that and yet they have alot of valuable data to protect. Users are often the weakest and most vulnerable parts in any security implementation, which is why social engineering remains so effective in comparision to other techniques.

In addition, encryption should never be the first line of defense except where it is absolutely necessary. It should be behind protected systems and communications as it is simply a defensive measure and the encryption, without active assistance, wouldn't change nor would the data move anywhere else; that is the perfect target for an attacker looking for a static set of systems to attack.

Then again, I have already secured my data far past what most people consider sane.

[Thinkpaddict]

You know, that image of users writing down passwords in stickies and putting them under the keyboard had me laughing. It is so funny I guess because I am sure it is true in many cases.

If you take into account the dumb and/or lazy user factor, then I see the usefulness of the FPR actually. It just happens that I don't think like that, so it is difficult to put myself in the shoes of a lazy corporate user. Uh wait, didn't I say I either had no passwords on my computers or short passwords?

[christopher_wolf]

You know, that image of users writing down passwords in stickies and putting them under the keyboard had me laughing. It is so funny I guess because I am sure it is true in many cases.

If you take into account the dumb and/or lazy user factor, then I see the usefulness of the FPR actually. It just happens that I don't think like that, so it is difficult to put myself in the shoes of a lazy corporate user. Uh wait, didn't I say I either had no passwords on my computers or short passwords?

Believe me, it doesn't matter how few passwords you may have; I have, very unfortuanately, seen worse.

Example? "12345678910111213141516" for a 16 character password (notice a problem with that one? )

Or the absolute favorite, adding a number onto the end of an old password when password renewal time comes around. I.e. "pongo" would be the old one and "pongo1" the new one.

So, yeah...I think that you may very well have better security than many corporate users.

[MobileGuru]

Don't forget of course that in the video that is a flatbed type scanner, not an image loader like the integrated FPS on the ThinkPad, so security would be higher on the TP than in that video. Additionally, the scanner requires living tissue contact (ie it reads biometric energy) which should eliminate most of the thicker gels as fingerprint copies.

I'd like to see those tests run on a ThinkPad just for fun, to see what kind of results the boys would get. Of course, any technology that can be engineered can be reverse engineered, but my bet is that it is still quite secure.

MG.

[Thinkpaddict]

Believe me, it doesn't matter how few passwords you may have; I have, very unfortuanately, seen worse.

Example? "12345678910111213141516" for a 16 character password (notice a problem with that one? )

Or the absolute favorite, adding a number onto the end of an old password when password renewal time comes around. I.e. "pongo" would be the old one and "pongo1" the new one.

So, yeah...I think that you may very well have better security than many corporate users.

That 123456...sequence sure would take several trillion years to be cracked in the most advanced supercomputer. Not to mention FBI's best and brightest...Leslie Nielsen, anyone?

Actually, when I bought my X21 second hand the Windows password was "password". It is really tough to beat that one. Probably the computer was preowned by Homer Simpson..."Where is the Any key?" (When prompted by the computer to press any key)