SQRL: Secure QR Login : Replacement for Usernames and passwords

By +Warwagon
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

Steve Gibson is still hard at work on SQRL while a lot of you are still probably poo pooing the idea, I for one an very excited about it.

 

He has released a UI page  with a very detailed explanation of how all of this works. Its still a work in progress.

 

I recommend everyone go to the page and read it. The page is a great read

 

https://www.grc.com/sqrl/ui/HintPrompt.png

 

Apparently when importing your identity from one device to another using your recovery code it does take a mandatory 30 seconds per attempt, to thwart brute forcing.

 

I should also note that people should get out of their head this idea that this requires QR codes. it does not. You can use one if you are on a public computer, but aside from that, it can be used in the browser on a computer or mobile device without a QR code

 

Welcome.png

 

 

 

HowItWorks.png

 

Create1.png

Create1a.png

Create2.png

IdentityReplace.png

 

Create3.png

 

AboutEntropy.png

 

Create4.png

 

Create5.png

 

PassPrompt.png

 

HintPrompt.png

Link to comment
Share on other sites
Grand Master

HawkMan

Posted
Posted

Inconvenient security will always be ignored. . look at UAC in windows, it had to be dialed back because it was inconvenient, and people still turn it off. more to the point, the people it actually would help, the people with most knowledge about computers, turn it off. 

 

It's why credits cards cover fraud for their customers. they could make the cards more secure. But then they'd be inconvenient to use. So while credit card A had secure credit cards that didn't cover fraud because it wasn't necessary, credit card company B would get all the company because their cards are convenient but unsecure, but they cover any fraud. 

Link to comment
Share on other sites
Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

If by chance this ever got adopted into the major browsers, then once an identity is created I think it would a more convenient and more secure.

Link to comment
Share on other sites
  • 8 months later...
  • 2 months later...
  • 4 weeks later...
Neowinian

Fer Trandar

Posted
Posted

I think I might just be the only person on Neowin excited about this :laugh:

 

Registered just to agree with you.

 

 

Whenever you find yourself on the side of the majority, it is time to pause and reflect.

Mark Twain

 

I can't wait for this to go mainstream. I hope linux users and developers go wild with it.

Link to comment
Share on other sites
Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

I think U2F is more likely to catch on, that's actually got support from browser makers.

 

ya maybe. But if I remember correctly, doesn't the server with U2F still have to keep some secrets?

Link to comment
Share on other sites
  • 2 months later...
Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

SQRL Demonstration on Security now

 

When he said "i'll log onto your computer using SQRL leo" ..what he meant was He will log onto his (Steve's) account on Leo's computer.

 

In this case he took a picture of it with his phone. On a desktop you simply click the QR code with your mouse. What he also didn't say is that he did have to enter a strong password to unlock his sqrl account on his computer. But to gain access to someones sqrl account you need the password, plus the recover code, which he makes very clear during the creation of your sqrl account not to store it on your computer.

 

Link to comment
Share on other sites
Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

Using this method the servers have no secretes to keep. When I say secretes I mean using this method the server does NOT store any usernames and passwords . If a server gets hacked it's really no big deal. Because there is nothing on the server that anyone can use to log in to that site or any other side on the internet as you.

Link to comment
Share on other sites
Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

A demonstration video I recorded today

 

A quick note, the 1st time you use your imported identity you are prompted for your full password. It only prompted me for the 1st 4 characters because I actually did an edit in the video right at that spot. Which means I goofed and cut that part out.

 

Link to comment
Share on other sites
Grand Master

Intersect

Posted
Posted

 

A demonstration video I recorded today

 

A quick note, the 1st time you use your imported identity you are prompted for your full password. It only prompted me for the 1st 4 characters because I actually did an edit in the video right at that spot. Which means I goofed and cut that part out.

 

 

it is an interesting concept but i cannot see it taking off with the likes of the ubikey along with lastpass to store passwords the unwashed masses are yet to take it up and there is still a lot of  websites out there that dont bother to offer 2FA for the users accounts. We are getting there though just slowly

Link to comment
Share on other sites
Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

it is an interesting concept but i cannot see it taking off with the likes of the ubikey along with lastpass to store passwords the unwashed masses are yet to take it up and there is still a lot of  websites out there that dont bother to offer 2FA for the users accounts. We are getting there though.

 

Personally I think this is so much easier and safer than lastpass.

 

If you are using this with a site and if that site gets hacked you really don't even have to change your password.

Link to comment
Share on other sites
Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

I posted the following on the GRC news group regarding sqrl

After I recorded the video I was trying to think of every single attack
surface I could think of on how a user would get their identity stolen
and I came up with the following scenarios.

Scenario 1

Hacker compromises a user's PC, has remote access and has also installed
a key logger.

They wait a while for the user to enter his entire password into SQRL.
Because he has remote access to the users machine he opens the sqrl
client displays the QR code on screen takes a screen shot, Prints
exported information to file to a PDF File instead of a printer or just
used the store the file option .. all of which he sends back to himself.

He then uses the QR code to import your identity (which does not require
a the recovery code) onto his machine and has the password to match.

Scenario 2

Someone has physical access to your machine and installs a keylogger via
software or a physical device attached to your keyboard. They wait until
they have your password they then export your identity to a USB device
and leave.

So then I thought that anything done in the Backup or Export Section
should require the recovery code. Then I was like, well no, because if
there is a keylogger on the system they would get that as well and
that's not good.

So then what's the solution? Without access to a QR code or the other
code + the recovery code the SQRL password is absolute worthless.

Except how easy it might be for an attacker to export it out of the
machine.	

The only solution I could think of, is something separate which is
printed out that would be instructed to be stored in a Separate place
than the recovery code and printed CR code. How about a list of 1 time
use codes which would be used for authentication to export your identity
Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.