Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Many Laptop Fingerprint Scanners may make Windows less secure

  • Please log in to reply
1 reply to this topic

#1 Andrew


    Bleepin' Night Watchman

  • Moderator
  • 8,260 posts
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:01:20 PM

Posted 06 September 2012 - 05:52 PM

Elcomsoft has put out a blog post stating that a popular feature of many modern laptops -- biometric logon with your fingerprint -- has been poorly implemented by UPEK such that it "effectively destroy[s] the entire security model of Windows accounts." UPEK, owned by Authentec, is a major supplier of biometric hardware and software to Acer, ASUS, Dell, Gateway, Lenovo, MSI, NEC, Samsung, SONY, Toshiba, and others.

After analyzing a number of laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite, we found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted. Having physical access to a laptop running UPEK Protector Suite, we could extract passwords to all user accounts with fingerprint-enabled logon. Putting things into perspective: Windows itself never stores account passwords unless you enable “automatic login”, which is discouraged by Microsoft.

However UPEK's maker disputes these allegations:

Authentec, which makes the widely used UPEK fingerprint scanner, said on Wednesday that it couldn't find any evidence to support the allegation that its software stores Windows passwords insecurely, exposing customers to potential hacking.

An attacker who is able to recover a Windows account password can access anything the user is able to, including files encrypted with Windows' built-in EFS file encryption, and other credentials protected by the user's password.

Edited by Andrew, 06 September 2012 - 06:04 PM.

BC AdBot (Login to Remove)




  • Members
  • 35 posts
  • Gender:Male
  • Location:Salt Lake City, UT
  • Local time:02:20 PM

Posted 07 September 2012 - 09:47 AM

My question is .. if you use a Fingerprint Scanner as your login .. why can't it just store a copy of your fingerprint in the system and not an actual password?? I know some of you will say ... what if the scanner breaks .. well then you can switch over to text login and set it up to have to answer a security question to allow you to setup the actual text password if the scanner stops working. That way there is no actual text password stored .. (at least not at first) .. just an image of your fingerprint. That's just my two cents on the topic anyway .. :busy:

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users