Tag: Passwords

Device Security: Fingerprints vs Passwords

Apple’s announcement and release of the iPhone 5s raised an interesting question that many have asked me:

“Which is safer, Touch ID or  a pin code?”

The answer is, it depends on what you’re protecting yourself from.

touchid_hero

Pin codes 

They are a nuisance

Far too many people don’t use them, because they are annoying. A device that is devoid of security is already defeated.

Pin peeping

Someone can easily observe a user inputting a pin, and thus defeat the security.

Police prevention

It takes a massive amount of legal proceedings for the police to compel a person to turn over their password.

Fingerprint 

Police & fingerprints

The police can compel you to turn over your fingerprints. There isn’t enough legal precedent to ensure protection from the authorities.

Deep sleepers

If you’re a deep sleeper, someone could access your device with your fingerprint, and defeat your security while you’re dreaming.

Effortless security

The way Touch ID is setup, using your fingerprint as a password is effortless after initial setup.

Safe print storage?

The way Touch ID is architected, your fingerprint data should be secure. Even if it isn’t, the device isn’t storing your prints, it’s storing a mathematical translation of your prints. So, if someone defeats Apple’s security and accesses your print data, it’s not actually your print, it’s a looooooooooong string of seemingly random characters.

Other fingerprint enabled devices, I cannot speak for at this time.

That being said, I wouldn’t worry about this because we leave our fingerprints everywhere. If someone is motivated and wants to steal your prints and do bad things, it’s pretty much impossibly to prevent (hair follicles too).

The bottom-line

If you think you’ll be invoking your right to remain silent in the near-future… Go with a pin… And please don’t hurt anyone.

If you don’t trust the people under your roof… Go with a pin…  And maybe a lock on your door.

Your safest option would be to enable fingerprint security, and have a pin… But Apple doesn’t allow it. Two layers of security would be better than one.

That being said, pick one. Pin or print, it doesn’t matter. If you’re committed to security laziness, at least protect your device with a print. No security is a terrible idea.

Practice safe computing.

(Image via Apple)

Facebook Password Protection Law Fails: It’s Good

Yesterday’s amendment to a larger FCC reform bill that would make it illegal for employers to ask for employee’s social media passwords failed to garner the votes it needed.

This is a good thing.

Don’t get me wrong, my montra remains the same: “Don’t give your passwords to anyone.” By anyone I include boyfriends, girlfriends, spouses, children, or employers. That being said, I don’t see this as the kind of issue that must be transformed into law as there is nothing inherently dangerous about giving away a Facebook password, and there are other ways of getting at the information in one’s Facebook profile beyond demanding access.

Personally I won’t work with obviously unethical people. I rather like the idea of telling a potential employer to piss off because they demand something that they have no business asking for. I see the fact that an employer can ask for my passwords as a layer of protection for me. It’s a simple red flag system, as I will loathe working for or with people like that.

It’s fine if they ask me for my password, and it’s my right to tell them that I don’t work with unethical people.

The Other Side of the Argument

Now some of you are already thinking, “David, you don’t have a family to think about.” And you’re damn right. I don’t. At that point, you’re putting a value on your privacy. It’s your choice. We place a value on our privacy every time we signup for an online service like Google or Facebook. What’s wrong with doing the same for employment? With regards to your potential employer, ask yourself:

  • How badly do you want that job?
  • Do you honestly believe that the (largely imagined) job security you seek is really going to come from the jerk who demands your passwords?
  • Are you ok with working for a micromanager? Because that’s who asks for your passwords.

What To Do If You Turn Over Your Password

  • Tell the potential employer that your password will change by the end of the day. This is a personal security issue, and you can’t knowingly have a compromised password in the wild for more than a day.
  • If you reuse passwords (which you shouldn’t), you need to change the password on all accounts that use that compromised password. Do it as soon as you get home.
Practice safe computing by keeping your passwords unique and secure.

(PC Mag)

Sony Hacking Incident – What You Should Know

Sony screwed up bad.

They screwed up really bad, but did they screw up enough to warrant federal legislation, and a class action lawsuit? I’m not so sure, but when something big, bad and newsworthy happens you can always count on an ambitious lawmaker to beg for attention, and for a small army of lawyers to get erections at the thought of filing a lawsuit.

As I mentioned in earlier posts, I have boycotted Sony for months because of their lawsuit against Geohotz, and their company policies that led to said suit. That being said, I still think the media, legislative, and legal frenzy surrounding this circus is a bit much. Here’s what you need to know:

What did the hackers steal?

They basically hijacked everything Sony had on the PlayStation Network. This includes:

  • Usernames
  • Passwords
  • Birth dates
  • Home addresses
  • Password retrieval question answers (ex. “What’s your mother’s maiden name?”)
  • And probably a slew of data about the games you play and things you’ve downloaded from the PlayStation Network

Credit cards

While the hackers did steal credit card information, all of that information is encrypted.

That means that the credit card data should be safe, and unusable.

I have a Playstation Network account, what should I do?

Most of the the stolen information is the kind of stuff that is uncoverable through thorough Google and Facebook stalking… except for the passwords.

If you have a PSN account, and you used the same password from your PSN account in other places, you need to start changing your passwords.

Typically web services that require a password protect that password by passing the text through something called a hashing algorithm before storing them. Hashing turns your password into a unique string of characters, and the process cannot be reversed. Sony failed to hash their users passwords, leaving them vulnerable.

What Sony did was boldly stupid. I can’t even begin to imagine how a tech company to stored millions of customer passwords unhashed, but they did it… And that may warrant a lawsuit.

A PlayStation is a computer, so you still need to practice safe computing while you’re on it. Change your passwords, and while you’re at it, don’t use the same one over and over again.

Why You Need to Change your Amazon Password

Do you use Amazon.com?

Of course you do.

Did you know that Amazon had a security vulnerability in their system that made it possible for malicious hackers to gain access to your password?

Amazon has already implemented a fix, but oddly enough you need to change your password in order to activate their security fix, and make your password.

So go change your password on Amazon.com.

Change your password

(Via Engadget)