Reply to post: Re: elDog

Clock blocker: Woman sues bosses over fingerprint clock-in tech

doublelayer Silver badge

Re: elDog

A salted hash of a fingerprint, if feasible, would still be inadequate safeguard. The reason for a salt in a hashed password is to protect large groups of passwords and insecure passwords. The salt, because it is different for each password, means that people can have the same password without that being obvious in a data dump. The salt also makes it less likely that the hashes can just be looked up in a list (a rainbow table). However, if I have *your* salted password and the desire, I can break it. The difference between salted and unsalted is that my work is significantly less useful for breaking into others' accounts after I got into yours.

Fingerprints can be hashed; I hope that happened here. I'm not sure how feasible it is to salt one. In strings, some random chunk needs to be dropped into the string somewhere. Either the fingerprint data needs to have other data added somehow, or the model needs to be serialized and data added to that. If data is added in a fingerprint, it appears to me that that might affect the reliability of a scanning process, producing either false negatives or ways to authenticate with partial prints. If data is added to a serialized string which fits a specific pattern, it would probably be a bit more evident and therefore easier to remove.

Finally, the security afforded by salted hashes is not intended to protect passwords forever. It is meant to limit damage and increase the lead time for an attack, hopefully long enough for the compromised credentials to be identified and revoked. Fingerprints can't be changed. A leak of such data can be used in a number of nefarious ways. Therefore, the distribution of biometric data or data used to represent biometric data are necessarily more dangerous than passwords or hashes.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019