Videos demonstrating SQRL


IndyDev

New member
Nov 8, 2019
3
1
Pardon my not recognizing the options in the previous post. Those are totally appropriate. I admit I have only been partially keeping up with SQRL as it was developed (I spent a great deal of time in college trying to get PGP adopted, so I have scars that have kept me away from getting fully involved with SQRL), and thus I am trying to understand the threat that requires a re-assert on every single use. On a public computer, ok I get it. On my own personal VPN'd, firewalled, well maintained linux box? If this has been covered, sincere apologies. Yes I understand you can set the key to 1 (which is kind of silly since 1 key provides no security, yet I still have to type it), but why can't I set it to 0 and rely on the events to secure the client? If this is just an oversight in the client development ok, just make it an option in the new client.

NOTE: I'm not whining about the software. I am trying to make it more usable so that more people adopt it.
 

PHolder

Well-known member
May 19, 2018
1,214
203
Well, I have no intention to speak for @Steve on the topic, but I have my own opinions. If you don't have to enter ANY password at some point, then that means your identity resides in RAM unprotected. (You can argue it could be encrypted, but the key would have to itself reside in RAM, so this is really a false sense of security.) If identity stealing malware gets onto your PC somehow (say some weird Javascript sandbox escape) and grabs your identity, then you're in for a potential world of pain. I understand your request, and your thinking, but Steve is a very security conscious and conservative guy, so I equally understand the reasons for his choices. You also have to consider that while you personally might be happy with no password in some scenarios, the people you're worried about, the average users, are the ones most likely to unintentionally abuse themselves and end up in trouble. Additionally, since login is meant to be fairly infrequent... I don't see the issue with the [quick] password being necessary on occasion. For example, this very site (these forums) uses a cookie, and I think I use SQRL to log into the site approximately twice a month, depending on how often I restart my browser for patches and whatnot. That's not really very onerous in my opinion.
 

warwagon

Well-known member
May 20, 2018
165
64
Iowa
While I understand the security issue of leaving the client open, this was sold a little differently. No one has to re-type their password when using lastpass or keepass, so its natural for them to wonder why they have to do it now. The real benefit is that you don't have to keep making up new passwords. It's just one sign-on process wherever you happen to go. But I also think the client should be smarter than just using some set timeout process. For those securely using their computer at home, it makes more sense for the re-identification to the client process to kick on after a real event, like the screen blanker coming on, the user logging off, sleep mode etc. Most users would understand having to re-identify to the client under those conditions. These can be added into clients, and should be considered before making such great claims to the public--they won't see it the way we do.
I enter my LastPass password all the time, so I make sure I don’t forget it. So I set my lastpass to sign me out every once and a while.
 

IndyDev

New member
Nov 8, 2019
3
1
I agree that you should have to enter passwords every once and awhile. I am only talking about the QuickPass frequency. Unfortunately I cannot test SQRL very much because there aren't many places using it, but it seems to ask for every place I login, even if I used it 15 seconds ago.

I am not willing to die on a hill over this (at least not yet :)), just that the success of SQRL requires wide adoption. As it stands now, and I REALLY like SQRL, I cannot recommend it to most of my very technical friends simply because of its infancy in terms of usability. Everything I see here is pretty minor. When I tried to write clients for PGP and WinPGP, I just couldn't understand why people weren't using it. Well...? (PGP has some real technical use challenges left however-- like key rotation etc.), I learned that the shear genius of a solution is not enough to gain adoption.

I'm not sure we need to play Mommy in code. Today, I risk my passwords on every site simply because they are stored on those sites. SQRL doesn't do this. Some bloke who gets his client compromised has no effect on me (unless its actually me).

Unless there is something else I don't understand, I'm done with this issue. I appreciate the responses.
 
  • Like
Reactions: Simon9

fairlane

New member
Jun 14, 2019
4
0
Well don’t I feel sheepish. Finally got to watch Steve in action at the Owasp presentation and yep, I misunderstood the point of re - entering a small portion of your master password. His reasons for it on stage make sense now that I can visually see it. I wouldn’t turn it off for the same reasons mentioned above. So I’m getting excited again. 😻😻
 

shanedk

Well-known member
May 20, 2018
421
113
A few weeks ago, I demonstrated SQRL for my largely non-techie audience, and I'll repost that here for the convenience of those who don't want to scroll up:


So earlier today I did a follow-up on actually going through the process of creating an identity:


(The part that's probably the most fun for everyone else is 9:00 when I screw up...)
 

Russell

Member
Apr 28, 2019
12
0
I'm surprised no reactions yet to these videos. They're awesome Adam. You are to be commended! You saved the best for last. The last 30 seconds of the last video are the "killer app" portion.

Now, I must say, that the discussion between the southern gentleman and you in the first video, along with the "mashing" of buttons in that one instance quite exposes you as a true southerner, hehe!

I'd like to personally thank you for your efforts here; you've made this really cool stuff more accessible. I think your activity is to be commended.
Freakin Brilliant! How's that for a reaction then?
Is an iPhone version available yet?
 

thejim

New member
Aug 25, 2020
2
0
Man I am lost! I feel I understand the basics of how sqrl works ESPECIALLY THE SET UP!!!~!!! after hours of listening and watching. How many videos do we need on setting up the original password? Let say I am the only person in the world that actually wants to practically use this program. I have an account on a website I already use like google and want to convert over to this. It seems impossible at present, unless this is only for creating new accounts, and even still I don't see a generator button or any options? I have tried the pc app, android, firefox and google. Yes I can log in and make that wonderful scan code with one password. Now what? My understanding was that once I am logged into the browser extension or add on of sqrl, that I could get a user name and password generated or made specifically for a website. The programs seem useless a present...... who has a use for a program that does nothing but allows you to log into only itself super securely? I couldn't even use it when setting up an account on this forum. I did find one specific video for this website, hoping it would explain. But no. it is magic. Are we still waiting for upgrades? I just downloaded the latest versions today. please help!
 

PHolder

Well-known member
May 19, 2018
1,214
203
@thejim I think you have missed the point of SQRL. It is NOT a password manager. You can't use it with any site not specifically setup to work with SQRL. Unfortunately there are not a lot of those in existence as yet, so you may be too early to a party that hasn't happened yet (and may never happen... who knows.)

This site does work with SQRL, and you can see my instruction for that here: https://sqrl.grc.com/threads/how-to-register-a-new-account-on-these-forums-with-sqrl.267/

unfortunately, as you have already created an account, that isn't going to work for you. To add a SQRL identity to your current account, click on your userID up on the top right, and go to "Connected accounts" (this link may work: https://sqrl.grc.com/account/connected-accounts/ ) and there you will be able to associate your SQRL ID with your account.
 

Sithmagic

Well-known member
Oct 12, 2019
75
21
I have an account on a website I already use like google and want to convert over to this.
The website needs to support SQRL first, which would be good for the website - eventually (no more passwords to be stolen). If you happen to know the website admin/authority, perhaps you could point them here (for details on how to implement on the server side) and ask them to add SQRL to the logon options? You will then be able to link your existing account with the SQRL logon public key that is generated (uniquely and on the fly for each website).
allows you to log into only itself super securely
That bit unlocks YOUR OWN private master key that is used to generate the private/public key pair for the website from the SQRL url (you wouldn't leave your valuables unlocked would you?). Once you have an identity, that should be it - it can be copied between devices so it is the SAME identity. You only need to generate new ones if YOU believe the master key has been compromised - that is all up to you to manage, not google/apple whoever - you control it no one else.
 

leenooks

New member
Aug 1, 2020
2
5
So I thought I'd share what I've been doing with SQRL, after I discovered it about a month ago. (I'm a fan.)

If anybody remembers BBSing back in the day (Bulletin Board Systems for those not old enough) - well they still exist today, and thankfully are accessible via the Internet.

As a side hobby, I've been building a Viewdata/Videotex emulation layer on top of Synchronet BBS (which is still actively developed) - and I've added SQRL authentication to it. It's kinda weird seeing a 1980's BBS technology having use authentication satisfied by a 2019 (?) innovation.

It's still a work in progress, but if you would like to see it in action - you can see it here in these you tube videos, or try it out directly at https://alterant.leenooks.net (they are still work in progress, and as time permits I add content and capability).

One video is the 1980's Videotex/Viewdata - the other is with an ANSI emulation.


(And if anybody is interested, the backend is Laravel Lumen - which I re-write - to learn SQRL - and I have it up on github).
 

thejim

New member
Aug 25, 2020
2
0
Thank you for taking the time to answer. As I now understand, it is a waiting game until one of the websites I use adopt it.
 

Jeffa

Well-known member
May 20, 2018
227
116
So I thought I'd share what I've been doing with SQRL, after I discovered it about a month ago. (I'm a fan.)

If anybody remembers BBSing back in the day (Bulletin Board Systems for those not old enough) - well they still exist today, and thankfully are accessible via the Internet.
Hi Deon,

This looks great, love the vids.

Can I be cheeky and ask that you change the thumbnail of my app? You just seem to have captured it in the split second of rendering so it still has all the text placeholders :D

Thanks for your testing and help.

All the very best
 

leenooks

New member
Aug 1, 2020
2
5
Can I be cheeky and ask that you change the thumbnail of my app? You just seem to have captured it in the split second of rendering so it still has all the text placeholders :D
Sure I'll update them - but I'm not following? The first video was the old app, and the second was an old build of your new app... I'll redo them to just show your new app and I can add more exposure of your app.

[re-reading your message...]
Ahh, I see the place holders now - I get it...

The question is - when can we get your app on the appstore? I think we really need to have it easily accessible so that more folks try it out...