jmlakar 69347 - Friday, March 9, 2018 1:03 PM

roger.plowman - Friday, March 9, 2018 6:35 AM

Biometrics is a horrible security idea. It fails half of the critical requirements a security method needs. If it's compromised (and the number of breeches per year says it WILL be--quickly) you can't change it. Easy to change a password, not so easy to change your fingerprints or retinal patterns. At best it's only good for local authentication, and even then it shouldn't be trusted. (Look at the court rulings that say you can be forced to unlock a fingerprint device but you don't have to give up a password).

Password managers are another bad idea. Yes, you can use a randomly generated password for each site but A) what happens when your password manager is compromised (already happened once that I know of) or what happens when the password manager's data is lost in a hard drive crash and there's no backup.

And don't say "cloud backup", that just makes it easier to have all your passwords stolen in one go.

As bad as they are, passwords are the best solution we've ever managed to come up with that meet all the needs of authentication. They aren't perfect, but better than anything else we've tried.

I don't agree. Password managers are so much better than people's inherent lousy passwords (and their reuse). To say that because there exists a small chance your PW MGR will be leaked so don't use it is "throwing the baby out with the bath water". If anyone asks if they should use a password manager the answer should be a resounding YES.

Likewise with biometrics. Similar to the cloud we make trade-offs as needed between convenience and security. I don't think the blanket statements about this are merited. I will agree with you about the coercion around biometrics and I don't like it either. Broaches a whole new topic of border crossings.