[Discuss] Steve Gibson's SQRL

[Edward Ned Harvey (blu)]

> From: Discuss [mailto:discuss-bounces+blu=nedharvey.com at blu.org] On
> Behalf Of Tom Metro
> 
> SQRL

Every authentication system, no matter what, is based on a combination of something you know, or something you have.  Nothing against SQRL, but SQRL is something you have - it's yet another key manager - so it comes down to a choice of which characteristics and usability you like.  The only "thing" you always have is your biometrics - but you don't always have your biometrics device (fingerprint/handprint/retina scanner etc)

When passwords are chosen poorly, they offer little or no technical protection - but surprisingly, even if your password is "password" or "123456" it provides quite a lot of legal protection.  The case study in 3rd party exposure is a postcard going through the mail vs a sealed envelope.  You have no reasonable expectation of privacy for the postcard, because all the mail handlers could have seen the message plainly.  The sealed envelope - while trivial to open and even stealthily re-seal - provides a reasonable expectation of privacy and therefore protected by 4th amendment.

I am in favor of 2-factor authentication, involving something you know, *and* something you have.  Because something you have can often be stolen or copied.  But I am strongly opposed to *exposing* something you know to the server.

This is what we created https://cbcrypt.org for.  It takes hostid, username, and password, and converts them into an asymmetric keypair.  Only the public key gets exposed to the server, so the server is able to confirm that *you* know your secret, without the server actually knowing your secret.

Also, if you carefully select a long complex password, it's absolutely possible (though unusual) to memorize something complex enough to be used as an encryption key, strong enough to *actually* keep out the most sophisticated brute force attacks.  Although it's rather unusual you need to select a password *that* strong.