SQRL Login?

  • New Wordpress Plug-In Forum
    Guest:

    Just a note that we have a new forum to contain discussions relating to the Wordpress plug-in which Daniel Persson originated and has been making great progress on. You'll find it under "Server-Side Solutions."

    /Steve.

Chan

New member
Oct 1, 2019
2
0
It sounded like Steve is saying, from recent Security Now! podcasts, that SQRL is becoming mature. So, I decided to try it out. The Windows SQRL app setup and identity creation wizards were nicely done. I will just throw these couple of questions out here to see if any of them sticks.
1. The identity creation wizard really stressed printing my SQRL Rescue Code out on paper and not save it on my local computer. Let's say...
I don't have a printer at home.​
I can't go to my friends house to print because I would have to somehow save it to a removable/cloud storage that I can access from my friend's computer.​
I don't want to print it out at work because that would save a copy in the printer/copier machine's local storage that was known to be insecure...​
Yeah, I'm just making up these excuses. I do have a printer; just out of ink. :whistle:
Anyways, if I were to print it out as PDF and stash it in one of my VeraCrypt containers and have that container sync up to the cloud. Or, if I save my SQRL Rescue Code on my LastPass secure note. Would any of those options compromise my SQRL Rescue Code? After listening to Security Now! podcasts, I'm just not sure any more. No, I'm not paranoid; just a little more informed.​
2. SQRL login as in Secure Quick Reliable Login login? o_O Just kidding...Don't stress over this one. It make sense to me. It just reminded me of the term "NIC card" that some of my former co-workers like to call it.
521
 

Attachments

PHolder

Well-known member
May 19, 2018
918
124
I do have a printer; just out of ink.
You don't need to print it out... you can print/write it down... assuming your pens or pencils aren't also all out of ink. The idea with doing that is that you get to check your hand writing in the next step when it asks you to type the code back in.

Steve would recommend you keep your recovery code completely offline so that there is no chance of an online attacker getting it. (This presumes you're not silly enough to type it into a phishing email, of course.) You could do "print to PDF" and save the PDF file onto a USB stick that you keep secured in your safe (or safety deposit box.) If all goes well you won't need your rescue code virtually ever, so making it harder to use is not necessarily a bad thing.
 
  • Like
Reactions: Chan

Vela Nanashi

Well-known member
May 19, 2018
633
107
I have no printer, but I wrote the code down on paper myself :) Seemed like the easiest solution at the time.

Also wrote down my backup id textual version after a lot of fighting with the version of SQRL client I had at the time.
 

Gristle

Well-known member
Feb 16, 2019
341
70
No longer contributing to this forum due to harassment from PHolder.
 
Last edited:

Vela Nanashi

Well-known member
May 19, 2018
633
107
Well SQRL might not be for those people. Also there is nothing preventing someone from providing such a service that handles that stuff for you so you can use SQRL. I would never ever want that though.

However I think that some of those lazy people might actually put in the slight effort needed for SQRL, since once you have two places where you use SQRL you get one password for free, and that keeps increasing. However people who just do the recover password thing every time, or use passwords such as monkey12345 or password12345 or such, they will most likely never get it or care, and will never convert willingly to SQRL, though SQRL will allow you to use monkey12345 as a password to unlock its key, but it still means you have to keep track of that key, so maybe that is a compromise they can consider, or a password like "yesIWantToLogInDamnIt!" with quick password length of 1, so you just press y to log in:) I mean the client will complain about password strength perhaps, but SQRL with a weak password is better than a site with a weak password, given that it has an actual random number as its key.

The rescue code and identity and keeping those safe, that would likely be something that those people if they care about being able to log in would pay for.

Personally I think it would be kind of neat to provide some sort of cloud for people to use to store their identity and rescue code at, but I really don't know how to do that in a way I would find acceptable personally, but for those users who want a "just log me in I don't want to remember any passwords at all" kind of thing, maybe it would be something useful to provide? Just how do I do it so I am not liable to be sued if someone gets a hold of the poorly secured passwords?

I can't rely on audio or video calls with people or drivers licenses or social security numbers or anything like that since all of those have very weak security and can even be deep faked these days, nobody would know.

I think it might be acceptable for those people to have a local techie they can buy dinner for and can then trust to keep that stuff safe for them :)

Or they can be really crazy, and trust their email provider, that they somehow remember the password for, and save the identity and rescue code in an email to themselves on there, very very bad idea, but you know, that is basically what they are doing anyway.

It would be their choice though. Not an innate flaw in SQRL :)
 

Chan

New member
Oct 1, 2019
2
0
Thanks for all the inputs. Although, I never thought the "printer out of ink" excuse would be the sticking point in this post. My question was specifically with VeraCrypt, or LastPass as alternatives to paper. Basically, I'm just asking the experts (you guys) to see if any of these alternatives are good, or not. With @PHolder's response of keeping it completely offline and SQRL's identity creation wizard stressed the same, I guess the alternatives are a no go.

Btw...I have yet encountered a flawless software (as if I know what I'm talking about ;)) . But, so far, SQRL seems to be doing what it was designed for without any issues.

Thank You!
 

Vela Nanashi

Well-known member
May 19, 2018
633
107
The reason for a piece of paper instead of some digital way, is that digital ways can be fragile (including the usb memory in a safe).

However if you are comfortable storing the only copy of the identity that can not be recovered if that copy breaks, thus losing you all the logins and making you have to create new accounts everywhere, in one digital place, then why not? If you have (good) enough backups of it then it might be safer than paper :)

An encrypted volume like VeraCrypt can even be safer in some ways than a piece of paper, in some countries at least, if you don't have the password for it written down at least.
 

Gristle

Well-known member
Feb 16, 2019
341
70
No longer contributing to this forum due to harassment from PHolder.
 
Last edited:

Vela Nanashi

Well-known member
May 19, 2018
633
107
It does not need to be a protocol change, for users to optionally give their secrets to a third party to keep, it can be something clients can offer, but I do say it must be optional, I will never ever use that feature myself. I do not want it, it is not as secure, it can never be as secure.

Kind of similar reason to why I do not want to have my secret only inside a hardware token, I can not recover from that if it is lost, I need to be in control of my secret, not someone else, not a thing that won't give me the secret, I also do not want to have to depend on other people or corporations to do the right things.
 

PHolder

Well-known member
May 19, 2018
918
124
I guess the alternatives are a no go
Well, Steve is very cautious, because, no doubt, he knows that people do have accidents like crypto-malware and the like, and he assumes those sorts of attacks won't work on an offline paper copy.
 

Gristle

Well-known member
Feb 16, 2019
341
70
No longer contributing to this forum due to harassment from PHolder.
 
Last edited: