How to keep my private bits private
March 20, 2008 3:45 AM   Subscribe

How reliable are USB drives using finger-print authentication?

I want to consolidate my many online and offline user accounts, passwords, pins etc. in a single, secure database (KeePass) which I want to store on a biometric USB flash drive. But what if I severely cut my finger while filleting some freshly-caught tofu, or what if the initial reading was just a bit dodgy (I don't want to even contemplate the scenario of actually losing the finger in question). Will my horribly disfigured fingertip cause my super-secure data to remain that way and also be completely inaccessible to me?
Or am I trying to deal with securing sensitive data in a totally ass-about way and are there better ways of going about it?
posted by =^^= to Technology (9 answers total)
Read this.
posted by alexei at 4:45 AM on March 20, 2008

You might do what we do with the biometric timeclock at my work: Scan two different fingers. (Though just how many USB flash drives support multiple finger profiles, I do not know.)
posted by hjo3 at 4:54 AM on March 20, 2008

Second vote for Truecrypt on your USB drive. I use it on mine for company confidential information and it works fine.
posted by arcticseal at 6:48 AM on March 20, 2008

Biometric locks are garbage. IronKey is far, far, far better and possibly even better than most software solutions (including TrueCrypt). Security Now is a great podcast about security, and it's accessible for the casual user. They discuss TrueCrypt, IronKey, and all those other technologies.
posted by blue_beetle at 7:05 AM on March 20, 2008

Thirding Truecrypt. Create a container file on the USB drive, use one of the three-factor encryption schemes, create a hidden volume within the container file, and use a really good alphanumeric-symbol password. The great thing about TC, besides being able to run the Truecrypt program from the USB drive, is that even if you lose the USB drive and somebody were to try to access the container file, there's no way for them to know what's inside by looking at the bits of the container file. One thing that I also do is instead of naming my container file "" (.tc is the Truecyrpt file extension), I just name the file "a" - nice and generic.
posted by phrayzee at 8:55 AM on March 20, 2008

I like TrueCrypt, but also love my Kingston DataTraveler Secure (Privacy Edition) which, like IronKey, uses hardware encryption (AES) and therefore does not need admin rights to run on any PC (unlike TrueCrypt). With these devices, you plug them in the USB port and immediately get a password box. No running of third-party programs, etc. Of course, if you're really paranoid, you could use one of the hardware encrypted thumb drives and TrueCrypt. I agree with the others as far as staying away from the biometric thumb drives.

Kingston DataTraveler Secure

posted by Gerard Sorme at 10:00 AM on March 20, 2008

Nthing above.

TrueCrypt good; setting it for two-factor authentication is even better. (=You need not only the password, but also a "keyfile" in order to open the encrypted container. That keyfile can live on the stick, or on your PC, on another stick, etc. so that IF the stick is lost or stolen or copied, or if you password is leaked or cracked, the intruder would ALSO need to have the keyfile in addition to your password.) KeePass can also be set up to use keyfiles.

IronKey is also thumbs up; the hardware encryption is good, and built in to the device, hence uncrackable without the device itself. 10 incorrect password attempts causes the device to self-destruct, destroying your data. It has several secure backup options, a built-in sercure FireFox/TOR browser, etc. It looks like they're in the process of making some improvements in the account/managment tools as well, like the ability to self-destruct the device remotely (you lost it, or lent it out but that trust has been broken - you set it to destroy itself the next time it's open on an internet-connected computer). Note: the encryption part works on OSX, but not the extra features like the browser. Everything works in XP/Vista. Dunno about linux. Also, expensive but can be worth it. Also, can make it through the washer and the dryer with no ill effects. :)

Biometrics, expecially fingerprint readers, are way over-rated for two reasons. One is the crackability noted in the first response. The second is that the damn things rarely read well, even if you haven't scarred your fingers. I had one for a while but traded it for an IronKey after it routinely took me 10 or 20 swipes to get in to my device. Your fingerprint changes a little depending on the pressure and angle when you swipe it; so when you use it, you have to swipe your finger exactly the way you swiped it when first set it up. Hassle, and since the security isn't that great, not worth it.
posted by bartleby at 2:27 PM on March 20, 2008

Oh, and I forgot: the encryption on the IronKey is automatic and non-voluntary. Some other USB encryption schemes, you can forget to encrypt your stuff before ejecting, and are thus unprotected. IronKey locks automatically, even if you just yank it out instead lof locking/ejecting the USB drive properly. If it's not plugged in and opened, it's locked. Nice to not have to worry about.
posted by bartleby at 3:01 PM on March 20, 2008

Response by poster: Thanks for your great suggestions, particularly for pointing me to the podcast, blue_beetle. Unfortunately, I can't justify the cost of the IronKey for my personal paranoid needs, but I must say I was also somewhat disappointed that for its price it's not capless (no retractable port) and there's no thingymajiggy to attach it to a keyring or something.

I ended up getting a fairly rugged SanDisk 2GB Cruzer Titanium USB flash drive: no biometric poppycock (thanks Alexei and everyone else warning me off it). On my groovy little Cruzer I have installed the TrueCrypt and KeePass combo a lot of you suggested to keep things relatively secure.
posted by =^^= at 2:09 AM on March 26, 2008

« Older Safe way to remove dried super glue from lid of...   |   Help me automagically assemble ~1 hour of new... Newer »
This thread is closed to new comments.