On the other hand, it's much harder to crack a hashed thumprint image.

[edit]

evan_ is right, you don't hash scan images. The question is, how much usable bits of entropy you can extract from a thumbprint scan? Anyway, I retract my main point.

Definitely. A 256 x 256 pixel grayscale image (8 bits per pixel) is half a million bits of entropy... try cracking that on your botnet!

Although the real entropy of thumbprint images is likely to be much smaller, considering that they share many simliar pixels... but it's still unimaginably huge compared to a short alphanumeric password.

Draw a picture on a piece of paper. Sign it, write your name, arbitrary words, whatever. Hold it up to a camera.

Could something like this be made to work? Work in the sense that a variety of cameras could read the same "password"? I guess QR codes have a fair bit of redundancy built-in...

two thumbprint scans, even one right after another, won't be identical, so comparing hashes is pointless.

Just switch fingers.

And the 11th time? I think I've had significantly > 10 sites I use have major password leaks. And I just turned 26 - my 10 fingers (ok, 20 with toes) would need to last a lifetime for this to be a viable solution.

I'd be more concerned about government mandated fingerprinting. Using public key authentication, it would be possible to make biometric keys nigh impossible to steal (such that they don't ever exist on disk in any form whatsoever.) However, they're really easy to steal if you can ever get physical access to the person or any personal records that happens to record said information.

Some people dont have fingerprints. How will you handle them?