If you use a biometric fingerprint instead of a password you will soon find that... | Hacker News

Hacker Timesnew | past | comments | ask | show | jobs | submit

		robtoo on July 19, 2011 \| parent \| context \| favorite \| on: Choosing a bad password, the Rebekah Wade way. If you use a biometric fingerprint instead of a password you will soon find that passwords can be changed, but biometrics can't. If a password database is compromised, you have a problem, but you can change everyone's passwords. If an iris database is compromised, you really have a problem. Biometrics are also susceptible to replay attacks, where sort-of-alternatives (such as tokens) aren't.

jbri on July 20, 2011 [–]

Which is why, as I mentioned, you don't store the biometrics. You don't even send them to the remote service.

Hash + Salt on the client, submit the result. Unique salt for each remote service, and you can change it for a particular remote service if it turns out they do stupid shit with it.

Consider applying for YC's Summer 2026 batch! Applications are open till May 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact