+Warwagon MVC Posted February 23, 2014 Author MVC Share Posted February 23, 2014 Steve Gibson is still hard at work on SQRL while a lot of you are still probably poo pooing the idea, I for one an very excited about it. He has released a UI page with a very detailed explanation of how all of this works. Its still a work in progress. I recommend everyone go to the page and read it. The page is a great read https://www.grc.com/sqrl/ui/HintPrompt.png Apparently when importing your identity from one device to another using your recovery code it does take a mandatory 30 seconds per attempt, to thwart brute forcing. I should also note that people should get out of their head this idea that this requires QR codes. it does not. You can use one if you are on a public computer, but aside from that, it can be used in the browser on a computer or mobile device without a QR code Link to comment Share on other sites More sharing options...
HawkMan Posted February 23, 2014 Share Posted February 23, 2014 Inconvenient security will always be ignored. . look at UAC in windows, it had to be dialed back because it was inconvenient, and people still turn it off. more to the point, the people it actually would help, the people with most knowledge about computers, turn it off. It's why credits cards cover fraud for their customers. they could make the cards more secure. But then they'd be inconvenient to use. So while credit card A had secure credit cards that didn't cover fraud because it wasn't necessary, credit card company B would get all the company because their cards are convenient but unsecure, but they cover any fraud. FiB3R 1 Share Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted February 23, 2014 Author MVC Share Posted February 23, 2014 If by chance this ever got adopted into the major browsers, then once an identity is created I think it would a more convenient and more secure. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted November 21, 2014 Author MVC Share Posted November 21, 2014 SQRL Presentation by Steve Gibson at the 2014 DigiCert Security Summit. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted February 18, 2015 Author MVC Share Posted February 18, 2015 I came across this very well written page explaining how SQRL works http://sqrl.pl/guide/index.html#overview I think I might just be the only person on Neowin excited about this Link to comment Share on other sites More sharing options...
Fer Trandar Posted March 16, 2015 Share Posted March 16, 2015 I think I might just be the only person on Neowin excited about this Registered just to agree with you. Whenever you find yourself on the side of the majority, it is time to pause and reflect. Mark Twain I can't wait for this to go mainstream. I hope linux users and developers go wild with it. Link to comment Share on other sites More sharing options...
The_Decryptor Veteran Posted March 16, 2015 Veteran Share Posted March 16, 2015 I think U2F is more likely to catch on, that's actually got support from browser makers. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted March 16, 2015 Author MVC Share Posted March 16, 2015 I think U2F is more likely to catch on, that's actually got support from browser makers. ya maybe. But if I remember correctly, doesn't the server with U2F still have to keep some secrets? Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted June 5, 2015 Author MVC Share Posted June 5, 2015 SQRL Demonstration on Security now When he said "i'll log onto your computer using SQRL leo" ..what he meant was He will log onto his (Steve's) account on Leo's computer. In this case he took a picture of it with his phone. On a desktop you simply click the QR code with your mouse. What he also didn't say is that he did have to enter a strong password to unlock his sqrl account on his computer. But to gain access to someones sqrl account you need the password, plus the recover code, which he makes very clear during the creation of your sqrl account not to store it on your computer. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted June 5, 2015 Author MVC Share Posted June 5, 2015 Using this method the servers have no secretes to keep. When I say secretes I mean using this method the server does NOT store any usernames and passwords . If a server gets hacked it's really no big deal. Because there is nothing on the server that anyone can use to log in to that site or any other side on the internet as you. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted June 5, 2015 Author MVC Share Posted June 5, 2015 A demonstration video I recorded today A quick note, the 1st time you use your imported identity you are prompted for your full password. It only prompted me for the 1st 4 characters because I actually did an edit in the video right at that spot. Which means I goofed and cut that part out. Link to comment Share on other sites More sharing options...
Intersect Posted June 5, 2015 Share Posted June 5, 2015 A demonstration video I recorded today A quick note, the 1st time you use your imported identity you are prompted for your full password. It only prompted me for the 1st 4 characters because I actually did an edit in the video right at that spot. Which means I goofed and cut that part out. it is an interesting concept but i cannot see it taking off with the likes of the ubikey along with lastpass to store passwords the unwashed masses are yet to take it up and there is still a lot of websites out there that dont bother to offer 2FA for the users accounts. We are getting there though just slowly Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted June 5, 2015 Author MVC Share Posted June 5, 2015 it is an interesting concept but i cannot see it taking off with the likes of the ubikey along with lastpass to store passwords the unwashed masses are yet to take it up and there is still a lot of websites out there that dont bother to offer 2FA for the users accounts. We are getting there though. Personally I think this is so much easier and safer than lastpass. If you are using this with a site and if that site gets hacked you really don't even have to change your password. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted June 6, 2015 Author MVC Share Posted June 6, 2015 I posted the following on the GRC news group regarding sqrl After I recorded the video I was trying to think of every single attack surface I could think of on how a user would get their identity stolen and I came up with the following scenarios. Scenario 1 Hacker compromises a user's PC, has remote access and has also installed a key logger. They wait a while for the user to enter his entire password into SQRL. Because he has remote access to the users machine he opens the sqrl client displays the QR code on screen takes a screen shot, Prints exported information to file to a PDF File instead of a printer or just used the store the file option .. all of which he sends back to himself. He then uses the QR code to import your identity (which does not require a the recovery code) onto his machine and has the password to match. Scenario 2 Someone has physical access to your machine and installs a keylogger via software or a physical device attached to your keyboard. They wait until they have your password they then export your identity to a USB device and leave. So then I thought that anything done in the Backup or Export Section should require the recovery code. Then I was like, well no, because if there is a keylogger on the system they would get that as well and that's not good. So then what's the solution? Without access to a QR code or the other code + the recovery code the SQRL password is absolute worthless. Except how easy it might be for an attacker to export it out of the machine. The only solution I could think of, is something separate which is printed out that would be instructed to be stored in a Separate place than the recovery code and printed CR code. How about a list of 1 time use codes which would be used for authentication to export your identity Link to comment Share on other sites More sharing options...
Recommended Posts