D3M1G0D:

Yes, I realize the significance of having a strong password (which is why I use a password manager), but brute force isn't the only way of hacking a password. Many hacking attempts happen through phishing or social engineering (e.g., a phishing email, a fake website, etc). Also, long and complex passwords have a greater chance of being written down or stored somewhere, especially if they're used on many different sites/devices (it's also unlikely that they will ever change the password).

True, but I would categorize the examples you mentioned under "idiotic passwords". The best password is one that needs to be long, something that you can memorize, but impersonal and unique. The password I use in most cases has a specific design to it. It's a word from a language I don't speak spelled in 1337 and there is something special about the way it is typed. I use the same password for almost everywhere I log into, but for added security, I add a layer of my own personal logic that is specific to wherever I'm logging into. That logic is also easy for me to memorize. So in the unlikely event someone manages to hack my password in the first place, there's a pretty good chance that whoever sees it will just think it's randomly generated for just that 1 source. Meanwhile if they read what I posted here and know the password is partially recycled, they then have to figure out the secondary logic behind it. This password was created for the sake of what I deem the most secure approach: * It's sufficiently long, so it can't be realistically be hacked via brute force, but not so long that it's tedious to type * It's easy to memorize, so it doesn't need to be written down * It looks like gibberish and bears no significance to my life, so it can't be predicted * It's adaptable, so if it were hacked, it won't get you very far So for me personally, I have a much greater chance of being hacked using biometrics.

schmidtbag:

True, but I would categorize the examples you mentioned under "idiotic passwords". The best password is one that needs to be long, something that you can memorize, but impersonal and unique. The password I use in most cases has a specific design to it. It's a word from a language I don't speak spelled in 1337 and there is something special about the way it is typed. I use the same password for almost everywhere I log into, but for added security, I add a layer of my own personal logic that is specific to wherever I'm logging into. That logic is also easy for me to memorize. So in the unlikely event someone manages to hack my password in the first place, there's a pretty good chance that whoever sees it will just think it's randomly generated for just that 1 source. Meanwhile if they read what I posted here and know the password is partially recycled, they then have to figure out the secondary logic behind it. This password was created for the sake of what I deem the most secure approach: * It's sufficiently long, so it can't be realistically be hacked via brute force, but not so long that it's tedious to type * It's easy to memorize, so it doesn't need to be written down * It looks like gibberish and bears no significance to my life, so it can't be predicted * It's adaptable, so if it were hacked, it won't get you very far So for me personally, I have a much greater chance of being hacked using biometrics.

I use a very long and complex password for my Lastpass account, and use randomly generated passwords for all my other accounts. This way, I can have strong security without thinking about it (I also use two factor authentication for when I need extra security). On my phone, Lastpass is linked to my fingerprint though so I rely on biometrics there. I tried generating my own passwords for a while but knew I couldn't keep it up (I began using derivatives or using hints, which I felt wasn't good enough). By far the easiest way for me to get hacked is through my phone's passcode, although I don't use it much (so can't be derived from smudges, hopefully). I'd be very surprised if someone manages to get into my phone through the iris scanner or fingerprint.

And how many times fellow developer called you from client place and asked to do something on his computer and send results to them, or called from home and asked you to start TeamViewer on his computer. Obviously he dictated you the password to unlock/start his computer.

N o t h a n k s

So what happens when I want to remotely access my works PC that's biometrically locked down and the PC I'm trying to access it with has no Biometric devices attached? I've seen fingerprint scanners that can be used over an RDP session but that's a 3rd party solution and needs an RDP server setup for it to work and so adds another layer of 'expense' to the whole Biometric security malarky especially if the 3rd party solution is a yearly cost like nearly all software 'solutions' used in businesses are!

So far it's the opposite: it's time to kill biometrics.

If we are talking security for the majority of the population, then biometrics is clearly more secure. The push in recent years to force people to create more complex passwords has increased the amount passwords that get written down on physical or digital sticky notes. I've also noticed that passwords that need changed every month have pushed more people to use a password pattern like january2018, January2018 or even January2018!

A biometric bug means mass secure flaw for everyone, bad password means secure flaw for bad password only. If you put your home keys under the welcome mat it's your own problem.

A flaw for everyone isn't the individuals problem though, while putting your "home keys under the welcome mat" is. Following on from above, say for example in the future we start to see front doors use biometrics rather than old fashioned key, as long as and this is covered under my home insurance then I would use biometrics. If my CC company is willing to take the hit for biometric fraud caused by a bug, then I will pick the security feature with that is most convenient.

Alessio1989:

So far it's the opposite: it's time to kill biometrics.

Agreed. The only time there should be biometrics, is for nuclear missile launch authentication, James Bonds films, and my personal underground sex dungeon.

If I had a nickel for every time someone said "It's time to get rid of the password"--in order to substitute some other kind of "password" for the current "passwords" we all use--I'd be a whole lot richer than I am... Seems like every time someone comes up with the "perfect password replacement" it seems to have more vulnerabilities and drawbacks than make it reasonable or worthwhile to implement. Passwords work very well for people who use them intelligently--ah, but the world is full of people who won't/don't--and giving then a new formulae simply provides them with another technology to abuse... World is full of engineers who never heard, "If it ain't broke, don't fix it" as they are always trying to improve that which cannot be improved, imo.