Reply to post: "passwords should be dropped in favor of [...] biometric technology"

The zero-password future can't come soon enough

Mike 137 Silver badge

"passwords should be dropped in favor of [...] biometric technology"

Once again (and for the gazillionth time for years and years) a biometric is not an authenticator - it's an identifier.

An authenticator must be private, rescindable and changeable. Biometrics by definition have none of these characteristics. Therefore a biometric can legitimately replace an identifier (e.g. a user name), but not a password. However I've given up waiting for this fundamental truth to sink in.

Furthermore, using the same biometric to access "hundreds" of accounts is just as bad a principle as using a single password for the same. As soon as someone finds a way to replicate the biometric or its digest (and they will) all the accounts will be vulnerable just as for the password - with the exception that the biometric can't be changed. The only effective solution here is robust private credential repositories containing multiple independent credentials for different accounts.

What's really been needed all along is education - of users so they understand the real purpose of passwords (to keep others out not to let legitimate users in) and of those setting password policies so they actually understand what they're doing. Practically all current "password rules" result from wild guesswork based on complete ignorance of the principles underlying code spaces, the statistics of cracking trials and the realities of modern attack types. This is typified by the "password strength meters" of two hosting services we tested. What qualified as strong on one was branded excessively weak for acceptance on the other.

It's long overdue to abandon the mantras and learn the facts.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon