Shostack + Friends Blog Archive


You can’t change your fingerprint


One of the most useful things you can do to protect your passwords is to change them regularly. This bounds the effect of many attacks which obtain your password, by various cracking techniques or by mistakenly entering it in the wrong place. After you’ve changed your password, the old one doesn’t do any good. This doesn’t help if you’re worried about spyware or a compromised server sharing your password, but it does help in many cases, and is the origin of many password change policies.

However, in cases where your finger is used to identify or authenticate you, it’s much harder to change your password. To date, we haven’t seen open market sales of biometric information captured by private sector companies like Disney or Seaworld, but Bob Sullivan identifies a case where a Disney “contractor [was] caught trying to sell Disney data:”

An employee who works for the company that processes Disney Movie Club transactions was caught trying to sell customer credit card information, Disney told its customers this week. The story echoes an incident revealed by Fidelity National Information Services earlier this month.

Now, we know about this because it was credit card data. If it was your fingerprints, you’d be entirely out of luck, and you wouldn’t even know it.

Photo: PartyPig’s password, on Flickr. I think he has a different title.

6 comments on "You can’t change your fingerprint"

Comments are closed.