39 posts in this topic

Posted

Steve Gibson is still hard at work on SQRL while a lot of you are still probably poo pooing the idea, I for one an very excited about it.

 

He has released a UI page  with a very detailed explanation of how all of this works. Its still a work in progress.

 

I recommend everyone go to the page and read it. The page is a great read

 

https://www.grc.com/sqrl/ui/HintPrompt.png

 

Apparently when importing your identity from one device to another using your recovery code it does take a mandatory 30 seconds per attempt, to thwart brute forcing.

 

I should also note that people should get out of their head this idea that this requires QR codes. it does not. You can use one if you are on a public computer, but aside from that, it can be used in the browser on a computer or mobile device without a QR code

 

Welcome.png

 

 

 

HowItWorks.png

 

Create1.png

Create1a.png

Create2.png

IdentityReplace.png

 

Create3.png

 

AboutEntropy.png

 

Create4.png

 

Create5.png

 

PassPrompt.png

 

HintPrompt.png

Share this post


Link to post
Share on other sites

Posted

Inconvenient security will always be ignored. . look at UAC in windows, it had to be dialed back because it was inconvenient, and people still turn it off. more to the point, the people it actually would help, the people with most knowledge about computers, turn it off. 

 

It's why credits cards cover fraud for their customers. they could make the cards more secure. But then they'd be inconvenient to use. So while credit card A had secure credit cards that didn't cover fraud because it wasn't necessary, credit card company B would get all the company because their cards are convenient but unsecure, but they cover any fraud. 

1 person likes this

Share this post


Link to post
Share on other sites

Posted

If by chance this ever got adopted into the major browsers, then once an identity is created I think it would a more convenient and more secure.

Share this post


Link to post
Share on other sites

Posted

SQRL Presentation by Steve Gibson at the 2014 DigiCert Security Summit.

Share this post


Link to post
Share on other sites

Posted

I came across this very well written page explaining how SQRL works

 

http://sqrl.pl/guide/index.html#overview

 

I think I might just be the only person on Neowin excited about this :laugh:

Share this post


Link to post
Share on other sites

Posted

I think I might just be the only person on Neowin excited about this :laugh:

 

Registered just to agree with you.

 

 

Whenever you find yourself on the side of the majority, it is time to pause and reflect.

Mark Twain

 

I can't wait for this to go mainstream. I hope linux users and developers go wild with it.

Share this post


Link to post
Share on other sites

Posted

I think U2F is more likely to catch on, that's actually got support from browser makers.

Share this post


Link to post
Share on other sites

Posted

I think U2F is more likely to catch on, that's actually got support from browser makers.

 

ya maybe. But if I remember correctly, doesn't the server with U2F still have to keep some secrets?

Share this post


Link to post
Share on other sites

Posted

SQRL Demonstration on Security now

 

When he said "i'll log onto your computer using SQRL leo" ..what he meant was He will log onto his (Steve's) account on Leo's computer.

 

In this case he took a picture of it with his phone. On a desktop you simply click the QR code with your mouse. What he also didn't say is that he did have to enter a strong password to unlock his sqrl account on his computer. But to gain access to someones sqrl account you need the password, plus the recover code, which he makes very clear during the creation of your sqrl account not to store it on your computer.

 

Share this post


Link to post
Share on other sites

Posted

Using this method the servers have no secretes to keep. When I say secretes I mean using this method the server does NOT store any usernames and passwords . If a server gets hacked it's really no big deal. Because there is nothing on the server that anyone can use to log in to that site or any other side on the internet as you.

Share this post


Link to post
Share on other sites

Posted

A demonstration video I recorded today

 

A quick note, the 1st time you use your imported identity you are prompted for your full password. It only prompted me for the 1st 4 characters because I actually did an edit in the video right at that spot. Which means I goofed and cut that part out.

 

Share this post


Link to post
Share on other sites

Posted

 

A demonstration video I recorded today

 

A quick note, the 1st time you use your imported identity you are prompted for your full password. It only prompted me for the 1st 4 characters because I actually did an edit in the video right at that spot. Which means I goofed and cut that part out.

 

 

it is an interesting concept but i cannot see it taking off with the likes of the ubikey along with lastpass to store passwords the unwashed masses are yet to take it up and there is still a lot of  websites out there that dont bother to offer 2FA for the users accounts. We are getting there though just slowly

Share this post


Link to post
Share on other sites

Posted

it is an interesting concept but i cannot see it taking off with the likes of the ubikey along with lastpass to store passwords the unwashed masses are yet to take it up and there is still a lot of  websites out there that dont bother to offer 2FA for the users accounts. We are getting there though.

 

Personally I think this is so much easier and safer than lastpass.

 

If you are using this with a site and if that site gets hacked you really don't even have to change your password.

Share this post


Link to post
Share on other sites

Posted

I posted the following on the GRC news group regarding sqrl

After I recorded the video I was trying to think of every single attack
surface I could think of on how a user would get their identity stolen
and I came up with the following scenarios.

Scenario 1

Hacker compromises a user's PC, has remote access and has also installed
a key logger.

They wait a while for the user to enter his entire password into SQRL.
Because he has remote access to the users machine he opens the sqrl
client displays the QR code on screen takes a screen shot, Prints
exported information to file to a PDF File instead of a printer or just
used the store the file option .. all of which he sends back to himself.

He then uses the QR code to import your identity (which does not require
a the recovery code) onto his machine and has the password to match.

Scenario 2

Someone has physical access to your machine and installs a keylogger via
software or a physical device attached to your keyboard. They wait until
they have your password they then export your identity to a USB device
and leave.

So then I thought that anything done in the Backup or Export Section
should require the recovery code. Then I was like, well no, because if
there is a keylogger on the system they would get that as well and
that's not good.

So then what's the solution? Without access to a QR code or the other
code + the recovery code the SQRL password is absolute worthless.

Except how easy it might be for an attacker to export it out of the
machine.	

The only solution I could think of, is something separate which is
printed out that would be instructed to be stored in a Separate place
than the recovery code and printed CR code. How about a list of 1 time
use codes which would be used for authentication to export your identity

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.