In the past couple of years we've become accustomed to weekly news of grand scale username and password thefts at major web services. As many people use very insecure passwords that can be cracked in seconds and by using the same passwords for many web services, usernames and passwords have become very insecure. In addition, viruses and Trojan horses try to get username and password combinations directly on PCs to get access to banking web sites and other high value targets. To me it looks like the situation is getting more and more out of control. While two factor authentication (e.g. an SMS with an additional code being sent by the bank before a transaction is made) fixes some of the issues for some web services, it's too cumbersome for everyday logins. But now Steve Gibson, famous for his SpinRite product and perhaps even more for his weekly Security Now podcast has come up with a solution that fixes all of this. Too good to be true? I thought so, too, at first but it seems he's really figured it out.
The core of his solution that he named SQRL (Secure QR Code Login) is that web services no longer store usernames and passwords but just a public key that was sent from the user when he first registered to the web site. For login, the web site sends a random number that is encrypted on the client side with the users secret key to generate a response. On the web service's side the response is decrypted with the public key agreed during initial registration. In other words, the secret password is no longer in the hands of the web service but in the hand of the user. That means that there is no longer a password database with millions of entries worth stealing on the web service's side. As each web service gets a different public key with the SQRL method and a different random number is used for each login, there's no password leakage between services due to the user of the same username and password for different sites as done by many users today to make their life simpler. Also not to underestimate is the advantage that no password has to be typed in, which fixes the issues that simple to remember and easy to crack passwords are used.
On the client side the use of SQRL is straight forward. Either a smartphone is used to scan a QR code on the login page for an out-of-band authentication which is the most secure way to access a web service in case the secret key can be stored securely on the mobile device. Also, implementations are possible with a browser plugin that detects that a web service offers SQRL login and automatically generates the response.
For more, head over to Steve's page that explains the details or listen to the podcast /videocast on the topic where he introduces SQRL starting at around 38 minutes into the podcast. I am amazed and very enthusiastic about it and hope we'll see implementations of this in the wild soon.
I don’t run a large website, but I do manage a couple users. And for the most part they don’t give a damn about security, but they do forget passwords. And they change machines. Which is why you currently have the overwhelming majority of users using one single insecure password to login to all of the websites they use. Including Google and Facebook and the like. Which makes hacking any popular forum very attractive. You get passwords that most likely will grant you access to many sites. Hashes can be computed with GPU power. And markov chain based password crackers mean that the very secure password you dreamt up may in fact be very insecure. This article:
http://www.heise.de/ct/artikel/Die-Passwortknacker-1779840.html
(the article series in the offline issue, unfortunately)
was a real eye opener. And changed the recommended password strategies yet again. And yet again it made it even unlikelier that anyone will follow recommended strategies. Even for people that care. But those recommended strategies were moot anyways in the face of the overwhelming majority of users that value simplicity far above and beyond security.
If you want to improve security on the web, you need to make it dead simple to use. And then make it even simpler. That is the key to greater security. It doesn’t need to be secure, but simple. But even if it is simple, if it doesn’t make everything much more secure, why bother? Which is why we are still using the broken system we have today.
My guess is that we simply need two factor or even three factor at one or two entry points (Google, for example) and then something like OpenID. But I am open to suggestions.
“If you want to improve security on the web, you need to make it dead simple to use.”
Improved security and simpler security are opposites on a continuum.
It is literally not possible to have security be both simple and strong.
Demanding the impossible is pointless.
Hi,
thanks for the comment. Before I saw SQRL I had similar thoughts
concerning security and easiness as two oppsite things. With SQRL,
however, the two ends are coming much closer together.
Cheers,
Martin