Videos demonstrating SQRL


the7erm

Member
Jun 13, 2019
7
1
tldr: How should I handle the security of the identity? Like an id_rsa or id_rsa.pub file(s)?

Is it just me or is there a key "Hey don't do this" is missing from the videos?

Am I supposed to keep the identity string (the big 87 character string) a secret? It seems like an id_rsa.pub file/key it just doesn't matter who knows it because you need to enter the rescue code to import or update your password. You also need to know the password before you can even use it.

It's obvious to me that the rescue code needs to be kept a secret, but it's not explicitly said in any of the videos or documentation I've read so far.

Perhaps it's me and there were instructions and it just didn't click because there wasn't bold letters stating DON'T SHARE THESE WITH ANYONE.

I generated my identity with either the firefox or chrome plugin then imported it to the other browser's SQRL's plugin - I can't remember which order. So perhaps it's the plugin that needs to display this message and sqrl.exe does an adequate job at stating this. Either way I'm still left with some confusion on the issue and would like to know the answer.
 

the7erm

Member
Jun 13, 2019
7
1
Treat your identity, and all parts of it, like you would treat a password. Don't share it.
Thanks for clearing that up.

Umm err this is awkward. I'd never allow a paper copy of my password. I'd put it in keepass and share that file with my phone via syncthing or something like that.

It's a little disconcerting that my identity so easily displayed in all the web plugins & the android app.

If I'm supposed to treat it like my password then displaying the identity should be harder.

Exporting identity should require the password or the recovery code. I guess this is one of those security vs convenience things. It's like being able to click "show password" in a browsers password manager without having to enter a password.
 

Steve

Administrator
Staff member
May 6, 2018
1,016
307
www.grc.com
@the7erm : I think the bit you are missing is that all identities everywhere are ALWAYS encrypted. Paul's point was to avoid sharing your identity in the interest of prudence. But it doesn't really matter if it is displayed.

Consequently, exporting the identity doesn't require the password or Rescue Code, because USING it always does. I certainly understand your confusion, since many other systems are not designed from the start to be secure. SQRL has been.

And the other bit you are missing is the concept of keeping things offline. You said "I'd never allow a paper copy of my password. I'd put it in keepass..." This is exactly how people's security is compromised every day. You are welcome to manage your identity any way you choose. It's your business. But SQRL's advice will always be to print out and take things OFFLINE. No hacker in Russia or China can access your paper-printed identity and rescue code when it's in a drawer. But when it's in Keepass there are many ways for you to be compromised.
 

Dave

Well-known member
May 19, 2018
486
99
Gardner, MA
Installing SQRL on Android:
Great job!!

My only comment is that it starts instantly. It could absolutely just be me but, I felt almost like it started in the middle of something... As if maybe I missed something at the beginning. I actually backed it up to double check. If I'm not the only one, you might want to consider perhaps leaving just a second or so before the audio starts so I can get my hand off the mouse and be ready to listen.
 

warwagon

Well-known member
May 20, 2018
165
64
Iowa
Great job!!

My only comment is that it starts instantly. It could absolutely just be me but, I felt almost like it started in the middle of something... As if maybe I missed something at the beginning. I actually backed it up to double check. If I'm not the only one, you might want to consider perhaps leaving just a second or so before the audio starts so I can get my hand off the mouse and be ready to listen.
Thanks for the feedback. Yes, the audio is just BAM right there, but even though there is not a second or so of silence I do give you about 8 seconds to get ready as I recap what I'm going to be showing you (which is also listed in the description). As you noticed I said click a few times in this video instead of tap and "Master password" instead of "SQRL Password" at the end. Steve uploaded the wrong version of the video. Those things are corrected. He just needs to download the other version. (sent him a second link after the 1st one, so he may not have seen it)
 

Simon9

Well-known member
Mar 13, 2019
51
6

laterdaze

New member
Jun 20, 2019
3
0
My Windows 10 system says "This type of video file is not supported". What type is it? Flash?
 

Paul F

Well-known member
Apr 11, 2019
96
29
Toronto
Yeah well, regardless, the protocol was touted as not having to provide a password when logging into websites.
...
You shouldn't have an extra step of having to type a portion of your password every time you want to log in.
As it happens the SQRL protocol doesn't require a password. That's an implementation option for the client. The password can be null. If you want to remove the password from your identity file you can use this program https://fil.email/PDHVzb36 . It will be hosted there for 7 days. Select your identity file, enter the rescue code, decrypt it, and encrypt it again without specifying a password. The IUK, by the way, is your most secret SQRL identity. Anyone with it has full control of your identity without needing a rescue code or password. Use this program at your own risk. Note: the program is for the Windows client and <identity>.sqrl files and may or may not work with other clients..
 
  • Like
Reactions: fairlane

PHolder

Well-known member
May 19, 2018
1,222
204
Use this program at your own risk
If you somehow get an attacker (or their malware) on your PC and your identity is exfiltrated while it has no protective [password based] encryption, then it is game over for that identity... so make sure you're careful how you use such power...
 

CoreyM

Member
May 10, 2019
5
1
I don't know if I will keep this after SQRL is out in the world, but for now I have the long SQRL password saved in LastPass. LastPass is biometric enabled so SQRL is as well. Once there are lots of sites using SQRL I may decide that keeping the full password for SQRL in LP is not a good idea, but it is just fine for now.
 
G

Gristle

Guest
No longer contributing to this forum due to harassment from PHolder.
 
Last edited by a moderator:
  • Like
Reactions: CoreyM

IndyDev

New member
Nov 8, 2019
3
1
While I understand the security issue of leaving the client open, this was sold a little differently. No one has to re-type their password when using lastpass or keepass, so its natural for them to wonder why they have to do it now. The real benefit is that you don't have to keep making up new passwords. It's just one sign-on process wherever you happen to go. But I also think the client should be smarter than just using some set timeout process. For those securely using their computer at home, it makes more sense for the re-identification to the client process to kick on after a real event, like the screen blanker coming on, the user logging off, sleep mode etc. Most users would understand having to re-identify to the client under those conditions. These can be added into clients, and should be considered before making such great claims to the public--they won't see it the way we do.
 

PHolder

Well-known member
May 19, 2018
1,222
204
The GRC client requires you to always assert you are you before allowing you to use the identity. You could set the QuickPass to a single character if that works for you. And there are options to control when to drop the QuickPass:
SQRLFullPassOptions.png