How secure are fingerprint readers vs password?

I use a very long and secure system password. I have never used fingerprint scanners except on phone. How does it compare to a 12-16 character complex password?

Don’t you still need a password, even if you have fingerprint login enabled? So by definition, having a fingerprint login only increases the attack surface of your device.

On the issue of whether the fingerprint sensor is just as “secure” from a hacking perspective…my stance is that it doesn’t matter. Even if the sensor were 1000x more difficult to hack remotely, it’s still vastly easier (and more likely) to be circumvented by just coercing you to use your own finger (whether by force or law). A password on the other hand is in your head, which is harder to force - imo.

My stance is that biometrics are for convenience, not security.

Flaws in Fingerprint Sensors (Nov. 2023) says:

A new research has uncovered multiple vulnerabilities that could be exploited to bypass Windows Hello authentication on Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptops.

Thanks and valid points which I agree with, but kind of not what I was after. I mean technically-speaking. Forget being forced to give fingerprint/password. If a machine was stolen from my car, just for argument’s sake, would it be safer with a decent complex password or with fingerprint when it comes to getting into it. I would assume password is MUCH more secure, but wondered if I am wrong there. I am interested in which is the more secure technically to brute force/hack, not including social engineering and other (possible) exploits.

Thanks, I’ve never heard of Windows Hello. Would this information apply to a fingerprint reader being used on, say, Fedora?

If the fingerprint driver depends on some binary blob it may well have the same implementation mistakes as the Windows driver. At my work, fingerprint readers were dropped, and password requirements were changed to a minimum length with a recommendation that we use a line from a song or poem. The requirement for frequent password changes was also relaxed. All that may have changed in the 5 years since I retired.

[edit]: From the ARS Technica article:

The Dell laptop’s Goodix fingerprint sensor implemented SDCP properly in Windows but used no such protections in Linux.

Interesting. thanks
I have never used nor wanted a fingerprint on a laptop, but I see some have the option and some don’t, so I was wondering if it ‘adds’ anything to the mix, and I guess it doesn’t (except attack surface perhaps :D) I’ll stick to my memorised complex password

You can change a password/passphrase, and you can refuse to give them.

Biometrics (like fingerprints, photos, etc.) can be duplicated / lifted without your consent or knowledge, and they cannot be replaced.

You keep missing my point. I did try to explain. Let me try again:

A thief steals my laptop. They do not have my password. They do not have my fingerprint. They do not have my photo. They have NO WAY to get/force/steal/otherwise obtain the necessary credentials for either password or fingerprint.

I am asking which would be easier to hack into through, password or fingerprint sensor?

There is no “this or that” answer to such a question. For properly set password (a passphrase, long enough, containing symbols/punctuation marks, lower and upper case letter) is always stronger then a finger print alone. But if the password is passw123, then it’s about the same as fingerprint to crack/obtain.
That’s simplified, but still can give you idea about how quickly passwords can be cracked depending on password length and complexity

hive_password_table1200×932 316 KB

Er, thank you!

“There is no “this or that” answer to such a question.”

“properly set password is always stronger then a finger print alone.”

you did just answer the question, perfectly! thank you!

(Ps I explained above how complex my password is. So it’s stronger than a fingerprint alone. Boom, there’s my answer. thanks again)

Yes, and adding the fingerprint adds to the required steps to hack the machine so it adds to the security, but should not be an absolute replacement in every situation.

aaah. I assumed it was either or. If the fingerprint can unlock the machine when in standby, i guess it’s a bigger risk compared to password. That’s useful to know thanks

Both login password and fingerprint are trivial to bypass by booting a different system from a USB media or by extracting the disk and attaching it to a different machine.

Full physical access to the machine nullifies any protection other than disk/data encryption.

I wonder why it took so much time for someone to give this answer.
If someone has physical access to your unencrypted device, it’s not yours anymore.

I personally do not trust Fingerprint Scanners.

• They can be spoofed, “Gummy Bear Attack” and other more modern methods exist.

I have always had a very long password, and when I did Support Contracts I was always asked how to get good long passwords. Songs, Poem, A collections of words. Some words of associated with their working environment:

• Chemical names like Sarin, Amin Synergist, Aerosil, Urea Pril Shot etc
• Also, the use of password managers and reporting intranet sites with short requirements or passwords with any information identifiable to the user.
• • There is a local Grocery ( Supermarket ) Who’s intranet site is tied to a public facing Web page. Their Intranet passwords are all 6 lowercase characters and 2 digits

Always encrypt ! But also, normalize encrypting documents you share with GPG

Or you loaned it your wife to do some shopping.

Your spouse should have their own login/user. Never share the same account. You can add users easily and having a Backup user account comes in handy for newbies to linux as well.

Clearly you’ve met her