Thursday, September 6, 2012

Are laptop fingerprint sensors about security or convenience?

Popular fingerprint reader stores Windows passwords unencrypted (TechSpot)
ElcomSoft, a Russian digital forensics firm, has revealed a major vulnerability in UPEK Protector Suite, a popular biometric security solution that has shipped on machines from practically every large PC vendor, including Acer, Asus, Dell, Lenovo, MSI, Samsung, Sony and Toshiba. According to the researchers, the flaw makes UPEK's fingerprint reading software less secure than using Windows' standard password option.
Read the whole thing.

I haven't used the service in question lately, but the last time I used the UPEK setup, it was pretty clear that it was a biometric password manager. Until and unless a particular web service uses biometric authentication with authentication taking place on their own servers (and astonishingly few do), the fingerprint reader on a laptop is only ever going to be controlling a password management program.

Still, a fingerprint password manager can make better password habits more convenient, making it easier for users to cope with longer, more complex passwords and change them more frequently. But the UPEK setup described in the article meant that the passwords were stored in such a fashion that they weren't necessarily bulletproof.

As the article points out, if you're already encrypting your hard drive, this security situation may leave you more vulnerable than you thought. If you're not, this method of managing passwords seems much more secure than storing them in an unencrypted text or Excel file.