Password Change


Status
Not open for further replies.

jkw_physics

New member
Jan 31, 2019
1
0
Midwest
Changing one's password on one client, and then using the "reset password" on another client seems like a really confusing way to make the change happen across multiple clients. There doesn't seem to be an "import" function however that does not generate a completely new identity. Is this the best way to accomplish this? I realize the point is that your password is not stored anywhere (and thus can't sync), but the QR codes seem to only handle identities as a whole.
 

Steve

Administrator
Staff member
May 6, 2018
1,016
307
www.grc.com
JKW: Let me break that apart a bit for you:
  1. All SQRL clients should have a change password feature. And, yes, if you change your password on one it would be sane to synchronize the change on all of them. On the other hand, at the risk of being confused, a mobile device which is more prone to theft might use a longer password (or a longer password decryption time), whereas your desktop home client might have a shorter password and fast decryption.

  2. All SQRL client should have a means of easily exporting and importing identities. Mine does and the other mobile clients do too. So you COULD change your password on one and import that identity, which contains that new password, into other clients.
 

Dave

Well-known member
May 19, 2018
485
99
Gardner, MA
So you COULD change your password on one and import that identity, which contains that new password, into other clients
I haven't tried it but can you import and overwrite an existing Identity on all of the clients?
 

Steve

Administrator
Staff member
May 6, 2018
1,016
307
www.grc.com
You would have to check the behavior of specific clients. But I would think you could delete an identity than import it as new.
 

Dave

Well-known member
May 19, 2018
485
99
Gardner, MA
You would have to check the behavior of specific clients. But I would think you could delete an identity than import it as new.
LOL!! You and I had a whole argument (not really) about if the GRC client should allow deleting identities and you said no!

And, coincidentally, just about half an hour ago I deleted the .sqrl files for several duplicate identities created while testing import.
 
Last edited:

PHolder

Well-known member
May 19, 2018
1,214
203
Unless I have drastically misunderstood, I think we should be very clear here that the password is not part of the identity, it is the means that controls access to it. If you change your password, it should not change any other aspect of the identity it protects. It is my understanding that when you export the identity, you can export it with or without a password wrapper. If you chose to supply a password for the wrapper, it doesn't need to be the same password that protected entry into the client the export is attempted from.
 

Dave

Well-known member
May 19, 2018
485
99
Gardner, MA
If you chose to supply a password for the wrapper, it doesn't need to be the same password that protected entry into the client the export is attempted from.
@PHolder , Your understanding is consistent with mine (not that that carries any weight). I just took an Identity that was print-exported with the password and imported it into the GRC client using a web cam to read the QR Code. All it asked for is a name. The password that was in place at the time of export was retained as the current password. While your summary IS on point, to have a different password you would have to "change" it after importing. If it was exported without the password, you ARE prompted for a password with no connection to, or retention of, the old password.
 

Steve

Administrator
Staff member
May 6, 2018
1,016
307
www.grc.com
@Dave : I believe that if the identity is exported without the password then the RescueCode is required to use the imported identity, and, after successfully providing the RC, then a password is requested. This is the safest storage form of the identity since it is not encrypted also with the password (which may have reduced entropy) it's only encrypted under the Rescue Code.
 

bpads

New member
Mar 19, 2019
3
0
It will be confusing for people that changing the password for one client does not change the password in all clients. What are your thoughts about notifying the user that the password has not been changed for all clients, and that if they want to keep their devices in sync they should update the password on their other clients?
 

Steve

Administrator
Staff member
May 6, 2018
1,016
307
www.grc.com
It will be confusing for people that changing the password for one client does not change the password in all clients. What are your thoughts about notifying the user that the password has not been changed for all clients, and that if they want to keep their devices in sync they should update the password on their other clients?
Yes, I agree 100%. The next thing I do once I get the "What If..." section finished is to add clear password change and rekeying reminders to the process so that users are taught that this synchronization is not automatic.
 
  • Like
Reactions: bpads
Status
Not open for further replies.