ThePythonicCow
5th June 2015, 06:29
Websites, even some of the biggest and most secure, have proven time and again that they cannot guarantee the secrecy of your account information. They are all at risk of being hacked.
Users, even the most careful and geeky, have proven time and again that they cannot be relied on to always follow "best practices" in managing account passwords. Sooner or later they will reuse a password, or use one that's too simple, or write the password down on a piece of paper or in a computer file that someone else might see.
Passwords suck. Both website admins and website users agree on that much. But they're the best we have in most cases, and so we're stuck using them.
Steve Gibson, who some of us old computer nerds will recognize as the author of Spinrite (the finest disk error recovery tool, ever, and still), is developing a replacement for passwords. It's called SQRL (pronounced "squirrel"). It uses public-key encryption so that websites no longer need to keep a secret password to check your identity. Rather you keep the secret on your PC, Mac or smart phone, and websites keep only your public key.
SQRL stands for "Secure Quick Reliable Login". It is a comprehensive, easy-to-use, high security replacement for usernames, passwords, reminders, one-time-code authenticators . . . and everything else. It promises to be both easier to use, and more secure. No secret is kept on websites to validate your login, and you do not need to manage separate, hopefully "random enough", passwords for each website. Logging in can be as simple as entering a single, not too difficult, password into your PC or phone that identifies you to your phone, and then doing something such as taking a camera shot of a QR code displayed on a websites home page with your phone camera.
If you're looking for a replacement for your password manager ... it's too early ... come back in perhaps a year.
But if you're secretly aspiring to be a computer geek in cryptography ... keep reading.
For over a year now, Steve has been teasing SQRL in his weekly Security Now! podcast with Leo Laporte (in episode #510 - over 10 years).
This week, he gave the first public demo of SQRL, and announced a preview site that explains the technology behind it.
Here's the demo Steve did with Leo, from that podcast:
2QQ-Hi7npbM
Here's the preview website (on Steve's "grc.com", for Gibson Research Corp, server): https://www.grc.com/sqrl/sqrl.htm
Fascinating stuff, if you're a geek at heart. Important technology coming down the road, if you're a website admin. And hope for a more secure, and more user friendly, future, if you're a user.
Unfortunate news if you're a nation-state with immense compute resources at your disposal. Steve has worked very hard in this design to keep even the NSA from being able to hack this.
Users, even the most careful and geeky, have proven time and again that they cannot be relied on to always follow "best practices" in managing account passwords. Sooner or later they will reuse a password, or use one that's too simple, or write the password down on a piece of paper or in a computer file that someone else might see.
Passwords suck. Both website admins and website users agree on that much. But they're the best we have in most cases, and so we're stuck using them.
Steve Gibson, who some of us old computer nerds will recognize as the author of Spinrite (the finest disk error recovery tool, ever, and still), is developing a replacement for passwords. It's called SQRL (pronounced "squirrel"). It uses public-key encryption so that websites no longer need to keep a secret password to check your identity. Rather you keep the secret on your PC, Mac or smart phone, and websites keep only your public key.
SQRL stands for "Secure Quick Reliable Login". It is a comprehensive, easy-to-use, high security replacement for usernames, passwords, reminders, one-time-code authenticators . . . and everything else. It promises to be both easier to use, and more secure. No secret is kept on websites to validate your login, and you do not need to manage separate, hopefully "random enough", passwords for each website. Logging in can be as simple as entering a single, not too difficult, password into your PC or phone that identifies you to your phone, and then doing something such as taking a camera shot of a QR code displayed on a websites home page with your phone camera.
If you're looking for a replacement for your password manager ... it's too early ... come back in perhaps a year.
But if you're secretly aspiring to be a computer geek in cryptography ... keep reading.
For over a year now, Steve has been teasing SQRL in his weekly Security Now! podcast with Leo Laporte (in episode #510 - over 10 years).
This week, he gave the first public demo of SQRL, and announced a preview site that explains the technology behind it.
Here's the demo Steve did with Leo, from that podcast:
2QQ-Hi7npbM
Here's the preview website (on Steve's "grc.com", for Gibson Research Corp, server): https://www.grc.com/sqrl/sqrl.htm
Fascinating stuff, if you're a geek at heart. Important technology coming down the road, if you're a website admin. And hope for a more secure, and more user friendly, future, if you're a user.
Unfortunate news if you're a nation-state with immense compute resources at your disposal. Steve has worked very hard in this design to keep even the NSA from being able to hack this.