Make this page my home page
  1. Drag the home icon in this panel and drop it onto the "house icon" in the tool bar for the browser

  2. Select "Yes" from the popup window and you're done!

November 27, 2012
Print Comment RSS

Tim Dees Police Tech & Gear
with Tim Dees

Biometrics security is not foolproof

The Windows registry is a proof of concept that, if computer programmers designed buildings and bridges, one woodpecker could destroy Western civilization

Security is always inconvenient, and people — police people in particular — seem to strive constantly to defeat security measures intended to protect themselves, their property, or the assets of their employers.

Locked doors are propped open or the latches taped over; keys are left accessible to anyone who happens by the hook they’re hung on.

Biometric measures like iris scans and fingerprint readers offer what seems like a secure means of maintaining security without having to carry a card or key or remember a password, and these methods are mostly reliable. Recently, a flaw in a fingerprint reader used on many laptop computers was revealed to expose passwords stored in the Windows registry.

Request product info from top Biometrics & Identification companies.
First: *
Last: *
Department: *
Department size: *
Email: *
Zip Code: *
Telephone: *
I recommend or purchase products for my Department: *
Purchasing Timeframe: *
*Required Field

One Woodpecker
The Windows registry is a gawd-awful-long index of arcane “keys” that dictate how the Windows operating system works. You can look at it by typing “regedit” (without the quotes) into the search field in Windows. Change or delete the right key, and the whole system crashes.

The Windows registry is a proof of concept that, if computer programmers designed buildings and bridges, one woodpecker could destroy Western civilization.

The vulnerable password manager is a set of applications called the UPEK Protector Suite.

It services the fingerprint reader installed on many laptops and some desktop machines. Instead of typing a password in to start Windows or access files or websites, you slide your fingertip over the reader, telling the computer that it’s really you that is trying to get in. The reader recognizes an enrolled fingerprint and queries the list stored in the registry for a password matching the resource having the focus on the screen.

If found, the software retrieves the password, enters it into the blank, and you’re operating.

In late August, a company called Elcomsoft announced they had devised a way to get the passwords stored by the UPEK software out of the registry. Following that, consultants Adam Cauhill and Brandon Wilson published some open-source software that does the same thing. The objective (Cauhill’s and Wilson’s, anyway) wasn’t to steal anyone’s passwords, but to show users it could be done. The weakness lies with UPEK’s method of storing the passwords in “barely scrambled but not encrypted” form, making them easy prey for password collectors. A new version of the software was released in mid-September, but the experts say it isn’t much of an improvement.

Acquiring even a single password from a user can leave that user’s entire online identity vulnerable, because people tend to use the same password, or a slight variation of it, over and over. Once the hacker has your email address and a password, they start looking at popular websites and merchants like Amazon, Facebook, Hotmail, and Google, entering the details they acquired to see what works.

Software capable of trying thousands of password variations every second is available and executable on garden-variety desktop and laptop computers. If that password is something often used (“12345,” “password,” “qwerty”) or is tied to a detail of your life (the city where you live, your child’s or dog’s name, your nickname), the task is even easier.

If your computer has a fingerprint reader installed on it, you can check to see if it uses the vulnerable software by opening the registry using the method described above, and navigating to HKEY_LOCAL_MACHINE\Software\Virtual Token\Passport\. If you don’t find this key folder, you’re using some other software. Alternatively, check your Programs and Features listing in Control Panel to see if “UPEK Protector Suite” is one of them.

One historically-reliable method of maintaining security on multiple passwords is to use a password manager. LastPass has a free version, and their premium version is only $12 per year. I personally favor RoboForm, which varies between $9.95 and $39.95 per year, depending on how many computers you use.

Both store your passwords online in heavily-encrypted form that, so far, no one has been able to crack without the master password. When you use a password manager, instead of typing in a web address and manually entering your user name and password, you click on a link in the password manager and the software does all that for you.

Obviously, you need to choose a strong master password, but it’s the only one you’ll have to remember. Both packages include password generators that construct strong passwords of random characters of almost any length and combination of character types (upper- and lowercase letters, numbers, punctuation) you can then paste into the new password blank.

The software will then suggest you ask it to remember the password and where you entered it for future use.

Cops are especially juicy targets for hackers, because they have sensitive information stored on their computers, and because they like to make us look like fools.

Don’t leave yourself open to a security breach. 

About the author

Tim Dees is a writer, editor, trainer, and former law enforcement officer. After 15 years as a police officer with the Reno Police Department and elsewhere in Northern Nevada, Tim taught criminal justice as a full-time professor and instructor at colleges in Wisconsin, West Virginia, Georgia, and Oregon.

He was also a regional training coordinator for the Oregon Dept. of Public Safety Standards & Training, providing in-service training to 65 criminal justice agencies in central and eastern Oregon.

Tim has written more than 300 articles for nearly every national law enforcement publication in the United States, and is the author of The Truth About Cops, published by Hyperink Press. In 2005, Tim became the first editor-in-chief for Officer.com, moving to the same position for LawOfficer.com at the beginning of 2008. He now writes on applications of technology in law enforcement from his home in SE Washington state.

Tim holds a bachelor’s degree in biological science from San José State University, a master’s degree in criminal justice from The University of Alabama, and the Certified Protection Professional credential from ASIS International. He serves on the executive board of the Public Safety Writers Association.

Dees can be reached at tim.dees@policeone.com.

Keep up on the latest products by becoming a fan of PoliceOne Products on Facebook




PoliceOne Offers


Biometrics & Identification Sponsors

Featured Products

Fast, reliable DNA results processed in your booking station

Fast, reliable DNA results processed in your booking station



BioSP with Nexa|Face – Local mugshot search

BioSP with Nexa|Face – Local mugshot search




Featured Videos

Top Product Articles

Featured Deals

Featured Product Categories

Police Biometrics & Identification Questions

PoliceOne Offers