5.6 million reasons fingerprints shouldn't be used as passwords

Normal passwords are a pain, but at least you can change them

Okay, I lied with this title. I don't have 5.6 million reasons fingerprints are not good as passwords, I have one. But in the massive breach of US federal employee data, nearly 6 million individuals' passwords were stolen.

That's data that can't be changed, ever.

A fingerprint is fine as a username. It identifies you. You never need to change it, and it's pretty public, considering you leave your fingerprints everywhere. Fingerprints can be spoofed just from photos of you.

Passwords, on the other hand, should be changeable because of the ever-increasing number of data breaches we suffer each year. A fingerprint shouldn't be used to authenticate your identity, Dustin Kirkland, a technical strategist at Canonical, writes

The OPM (Office of Personnel Management) downplays the significance of the fingerprints getting stolen , saying that the ability for hackers to misuse fingerprint data is limited now--while admitting that this could change as technology evolves. If you've ever heard of cases where people have been framed for crimes and fingerprint data was used as evidence, you might disagree.

Security expert expert Graham Cluley explains in this video why fingerprints are not the same as passwords. One of the most important principles of information security is that passwords should be unique--each one used only for one site or service. We only have ten fingers, Cluley points out--clearly not enough to safeguard all our devices and services we use.

I'll admit, since getting my Samsung Galaxy Note 5, I've been enjoying the convenience of using my finger to unlock the phone. I'm aware of its security weaknesses, though, and am willing to trade them for convenience.

For nearly six million individuals, however, their lifetime "passwords" have been stolen. As we move towards using more fingerprint scanners, this is a huge concern. These federal employees have been offered free identity theft monitoring, but that doesn't cover fingerprint data.

The key takeaway here is that companies that are storing our biometric data, such as fingerprints, need to safeguard it. I'm not really confident in this, so maybe I wil stop using my fingerprint to log in.

This story, "5.6 million reasons fingerprints shouldn't be used as passwords" was originally published by ITworld.

Copyright © 2015 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon