Hacker News new | ask | show | jobs
by tom-lord 3980 days ago
> the claim that [...]

What are you talking about? The comment I replied to didn't make any such claims!

> passwords must be changeable

Not necessarily. What about fingerprints?

> usernames need not be changeable

Not necessarily. What about National Insurance / Social Security numbers?
1 comments
_swa8 3980 days ago
Fingerprints are usernames, not passwords, even if some people use them as passwords.

What's the point of a password you can't change? Once it leaks, you're screwed forever.

In the autenticaion realm, there's three main things used: a) who you are ("username") b) what you know ("password") and c) what you have (smartcard, various kinds of dongles). Biometrics of any kind only fit in the first category. The other two must be changeable, or there's no point to them, since they become aliases for the username. Any authentication system needs to assume the password or the what-you-have thingy leaks or is stolen. If they can't be changed, it becomes rather difficult to lock out an attacker while still allowing the legitimate user access.

link
tom-lord 3979 days ago
> Fingerprints are usernames, not passwords, even if some people use them as passwords.

This doesn't make sense. You cannot "use a username as a password".

Fingerprints, retina scans, DNA samples, etc are biometric passwords. They are unique identifiers to your identification, and cannot be changed for obvious reasons.

link
jessaustin 3979 days ago
Please reread this thread. The reason 'liw and I are on the same page, and you literally denied that 'liw said what we can all read 'liw saying three inches above, is that you simply haven't thought deeply enough about this topic.

The entire concept of "biometric passwords" is flawed, because as you see, they "cannot be changed for obvious reasons". One of the most important things about passwords (and passphrases!) is that they may be changed at any time. Every time there is an unauthorized data dump, we get lists of thousands of passwords or hashes thereof. Therefore, anyone who protects important assets with passwords should change them regularly. Anyone whose biometric data is stored in a database will eventually have that dumped as well.

The day is quickly approaching when none of these biometric measures will be private anyway. With that in mind, they could perhaps be used as public identifiers, "usernames" if you will. In that sense they might be similar to the SSN, another datum that is clearly unsuitable as a password, even though hundreds of stupid organizations have used it as such.

link