Blog: Passwords

Postal Services Breached, customers urged to change house numbers urgently

consultant-placeholder10 Ken Munro 18 Jun 2014


No, we’re joking fortunately. This article made us all chuckle this morning though.

There is a serious angle to this though, that of revocation. Particularly so in the area of biometrics. If a password is stolen, you simply change it. A pain, given the number of breaches involving passwords recently, but very do-able.

However, if you decided to use a biometric token and that is stolen, what do you do? You’ve only got 10 fingers and thumbs and a couple of retinas.

Apple seems keen for us to use fingerprints to unlock our iPhones. That tech has already been broken.

How much would it take to recover a fingerprint ‘hash’ from a used iPhone? How many people are going to forget to factory wipe their phones once they’ve finished with them? In a couple of years when you next replace your handset, I’ll bet iOS 7.1 is going to look a little less secure, based on experience of old iOS versions. I accept that ‘cracking’ a fingerprint will be rather different to cracking passwords though.

It might be embarrassing if personal photos were recovered from that old phone you sold, but rather more of an issue if your fingerprints were recovered from it.

I for one won’t be using biometrics for authentication for a while yet.

In the meantime, I think I will change the name of my house to a script tag.