Multiple password confusion


russellg

New member
Oct 7, 2020
4
0
I am going to express an opinion here, by way of questions, based on incomplete understanding, but that's deliberate.

I tried to import my sqrl id into the firefox and chrome extensions in Linux, but I couldn't get them to work as a way of registering for this forum. The problem was with the "New password" requested on import. I had set up my sqrl id in Windows with Steve's client. I didn't fill in the "New password" field because I had assumed this was a mechanism for changing the password I had created when creating my id in Windows. I left it blank. Eventually I came across threads here that explained that this password was not the one associated with the original creation of my sqrl id.

So I now need 2 or 3 or more passwords. As I understand it, apart from the original one, these authenticate me as user of this sqrl id on different devices. So not per site, or one master password for sqrl, but something in between. How is joe public supposed to realise this?

I seem to remember in Steve's presentations in Dublin (and Gothenburg?) that he said something like (paraphrasing) "sorry, but we can't get away with ignoring passwords altogether - we need one to authenticate the user when he/she attempts to use sqrl".

So now we may have several? Is this sensible or am I misunderstanding?

I realise there is some initial friction in a new user adopting sqrl - namely that they must understand the importance of the rescue code and that no-one can keep full control of their sqrl id without it - no equivalent to the lost password link. That's a trade-off that a new user must buy into. But beyond that, everything else ought to be more intuitive and tldr. Otherwise adoption will never happen as the major movers like Google will see too much user downside.
 

PHolder

Well-known member
May 19, 2018
1,192
194
Well, always remember that SQRL has no "sync" functionality, at least so far, by design. Each and every client, although potentially loaded with copies of the same identity, is storing and managing its identity independently. This means it needs a password to secure the identity in place, on whatever device it happens to be running on. You can reuse the same password for each location, that is entirely up to you. Since the password never leaves the device, the only risk is that someone might see you enter it. Remembering that there is no sync, if you change it in one place, that will not affect any other place, so YOU get to manage the password change function... YOU are the sync ;)

Now, as for Firefox and Chrome, you should NOT be running more than one client on the same device. You already have Steve's client installed, you don't need the plugins, and in fact they may potentially cause you problems.
 
  • Like
Reactions: Dave

Dave

Well-known member
May 19, 2018
484
99
Gardner, MA
You can reuse the same password for each location, that is entirely up to you.
Personally, I use the same password on multiple devices. Though it has been mentioned that someone might factor in the relative difficulty of entering a complex password on a mobile device versus that of doing so on a system with a proper keyboard and select platform-relative passwords. Also, while ill-advised, a password manager, like LastPass, could be used to enter the SQRL password on an Android device. Not that I have done so. 😇😈

and in fact, they may potentially cause you problems.
Particularly with each competing to be the handler of sqrl:// links.