SQRL - Secure Quick Reliable Login

Only just learned about this - looks an ideal complement to MaidSafe.

See: https://www.grc.com/sqrl/sqrl.htm

Uses QR codes to avoid the need to share secret info for login, so while similar to MaidSafe, could maybe protect against keyloggers and screen capture at login.

8 Likes

I’ll have to do some more research to know if this is like what I found yesterday. BitId does something similar. Cool stuff and people are getting more and more familiar with QR codes. Here is a link to an demo of someone showing how it works.

4 Likes

@chadrickm Great find - they seem almost identical in user experience.

Love Steve Gibson (inventor of SQRL). He does a fantastic podcast on TWIT network called Security Now. He + Bitcoin are what opened my eyes to crypto!

Thanks for the share @happybring

1 Like

I’m not at all interested in starting some type of security religious debate but there are often two sides to any story and here is some of what the other side is saying about SQRL.

2 Likes

@chadrickm another good find! Some criticisms don’t apply to MaidSafe, but looks like it would need some work before its good enough.

2 Likes

@happybeing Just a week ago I wanted to suggest SQRL, but didn’t because it’s not finished yet.

@chadrickm Great find : P

1 Like

[This is a video of the creator of SQRL, explaining how it works.][1]

Believe me this is not your average login solution, this is security @ it finest
[1]: http://youtu.be/UZ-nZ50BNrA?t=37m10s
I foolishly assume that whatever login system is eventually used, will be the login to access everything in the Maidsafe universe, including websites (because the old internet still exist, people could still login with google, facebook), games etc.

1 Like

I think SQRL is the best login solution and should be implemented right away. I don’t know why they didn’t think of it sooner.

The password is just outdated and totally insecure because entering the password allows you to be vulnerable to keyloggers. SQRL isn’t perfect but it’s probably more secure to use a spare cellphone than to enter a password.

I think we need to offer different options, while encouraging people to increase their level of security by adopting what we regard as best practice.

So this might be:

  • basic security: password + PIN
  • enhanced security: password + PIN with 2FA enabled (SMS or authenticator)
  • enhanced security: SQRL
  • high security: trezor style (h/w dongle system etc.)

At launch I expect well go with one or two, but maybe bounties set for enhanced options.

2 Likes

Good thinking
To add to your “High security”, maybe we should develop a trezor style device with NFC, that way it could also be used to pay @ terminals. (I can’t code & I’m no hardware wonder either, but I would finance sucha device).

Imagine a device with:
NFC
Trezor style
and [FixMeStick][1] kind of security (who knows we could have Maidsafe running on it’s OS (preferably tails Linux))
People would only have to plugin their stick and they could access the Maidsafe network with no worries @ all.

[1]: https://www.youtube.com/watch?v=87LhfV1aqe8[quote=“luckybit, post:9, topic:334”]
SQRL isn’t perfect
[/quote]
SQRL unfortunately still needs a master password, but with the device above it would be safer. What I know of Steve’s atitude towards security the masterpassword will probably have 64 random characters (This is what I don’t get about deterministic wallets (Why the f#$$@ would you use 12 dictionary words, instead of 12 random characters))

Passwords you can move away from but if you must use them then it’s about entropy. You get plenty of entropy from 12 random dictionary words and its easier to remember for most people.

I say most people not all. I would say if you can move away from pass words, phrases or any of that it is better.

Because it creates a more complex password of order 12^100,000 compared to order 12^256

2 Likes

To add to what other folks are saying (because I think this concept is sometimes lost on people):

Say you use just letters and numbers for a password. That gives you 26 (uppercase letters) + 26 (lowercase letters) + 10 (0-9). So that’s 62 possible choices. So 12 random characters could be 6t3RGUZ8f99f or 6t3RGUZ8f99f or 6t3RGUZ8f99f.

Now, if you use a wordlist, say like a Diceware list with 43146, that means there are 43146 possible choices. So like:
canny earn ely few maria s high flute peg ntis doze
severe think fence drier lip march swank swore bury byword but apse

So 12 random words are much more difficult to crack than 12 random letters. If that makes sense.

Heee this is funny from Twitter Digits. Password free signup…

But what if you loose your phone or if your mobile# is deactivated? Is phone# spoofing not possible?
LOL I can’t signup @ https://fabric.io/sign_up
Boy that sure is a good start…

Yeah yeah I know this is a centralized solution, but imagine Indiephone and Maidsafe.

Don’t forget 8 nov 2014 They are having their crowdfunding

A little update on SQRL there are a few examples of it now check it out on:

https://www.grc.com/sqrl/demo.htm

Or

This one works, but needs to be finalized

http://sqrl-login.appspot.com/

Fun stuff & cheers @happybeing
:stuck_out_tongue:

2 Likes

SQRL in details enjoy :stuck_out_tongue:

1 Like

Have anyone tried to contact TREZOR developers? You can actually low your own firmware to the device. It would show the warning that the firmware is not signed by SatoshiLabs, but it would work for testing purposes. Later if the firmware is open-sources and properly vetted SatoshiLabs might sign the firmware.

Another option is to use the original firmware and the private seed (see BIP0032 and BIP0044 on github) stored in the device. Since the seed can generate any number of private keys and can sign the message by them, it can be used to sign login challenge, although I am not sure it Maidsafe can work this way. The great thing about the TREZOR is that the private key never leaves the device and never touches the realm of Internet, thus you can be sure you access key is never compromised.

1 Like

SQRL is almost finished

But there is something, whenever you type a correct character it’s indicated with green, I’ve learned from the SAFE Network approach, that you never reveal if something is correct or not. So that might be a issue…

It will also have Yubico support :stuck_out_tongue:

2 Likes

For those interested, there was a topic started by @dirvine also about using SQRL with some interesting reads

3 Likes