View Full Version : SQRL: The end of web site passwords - in our lifetime

5th June 2015, 06:29
Websites, even some of the biggest and most secure, have proven time and again that they cannot guarantee the secrecy of your account information. They are all at risk of being hacked.

Users, even the most careful and geeky, have proven time and again that they cannot be relied on to always follow "best practices" in managing account passwords. Sooner or later they will reuse a password, or use one that's too simple, or write the password down on a piece of paper or in a computer file that someone else might see.

Passwords suck. Both website admins and website users agree on that much. But they're the best we have in most cases, and so we're stuck using them.

Steve Gibson, who some of us old computer nerds will recognize as the author of Spinrite (the finest disk error recovery tool, ever, and still), is developing a replacement for passwords. It's called SQRL (pronounced "squirrel"). It uses public-key encryption so that websites no longer need to keep a secret password to check your identity. Rather you keep the secret on your PC, Mac or smart phone, and websites keep only your public key.

SQRL stands for "Secure Quick Reliable Login". It is a comprehensive, easy-to-use, high security replacement for usernames, passwords, reminders, one-time-code authenticators . . . and everything else. It promises to be both easier to use, and more secure. No secret is kept on websites to validate your login, and you do not need to manage separate, hopefully "random enough", passwords for each website. Logging in can be as simple as entering a single, not too difficult, password into your PC or phone that identifies you to your phone, and then doing something such as taking a camera shot of a QR code displayed on a websites home page with your phone camera.

If you're looking for a replacement for your password manager ... it's too early ... come back in perhaps a year.

But if you're secretly aspiring to be a computer geek in cryptography ... keep reading.

For over a year now, Steve has been teasing SQRL in his weekly Security Now! podcast with Leo Laporte (in episode #510 - over 10 years).

This week, he gave the first public demo of SQRL, and announced a preview site that explains the technology behind it.

Here's the demo Steve did with Leo, from that podcast:

Here's the preview website (on Steve's "grc.com", for Gibson Research Corp, server): https://www.grc.com/sqrl/sqrl.htm

Fascinating stuff, if you're a geek at heart. Important technology coming down the road, if you're a website admin. And hope for a more secure, and more user friendly, future, if you're a user.

Unfortunate news if you're a nation-state with immense compute resources at your disposal. Steve has worked very hard in this design to keep even the NSA from being able to hack this.

5th June 2015, 07:24
Here's the original Security Now! podcast, from October of 2013, when Steve Gibson first announces SQRL, starting at 37.08 (https://youtu.be/UZ-nZ50BNrA?t=37m8s) into the video:

Here's a talk given at HTML5DevConf, just three weeks after the above, explaining SQRL to a wider audience of web security people:

5th June 2015, 08:10
Thank you, a smart solution.

5th June 2015, 10:57
and then doing something such as taking a camera shot of a QR code displayed on a websites home page with your phone camera.

1995, Johnny Mnemonic - a sequence of relatively random images as the encryption key.

6th June 2015, 13:35
Here's a talk that Steve Gibson gave himself, a half year ago (Nov 2014), on SQL:

12th June 2015, 14:59
Love and Peace