Passwords Suck and Will Go Away – Here’s How
By their very nature, usernames and passwords are not secure. Usernames and passwords are security mechanisms that rely on “Something you know” to function properly. Because knowledge is easily transferrable, passwords are not secure.
No amount of security training will be able to completely erase or negate the character of human beings. It is the human inclination to create passwords that are simple and easy to remember. People can guess passwords that are easy for us to remember because they are easy to remember. Passwords are also reused on a variety of accounts, including bank accounts, email accounts, work accounts, and so on.
Worse still, passwords are frequently openly discussed among trusted individuals, such as members of the family. When a user shares his or her Netflix account email and password, others can gain access to numerous other accounts that the user possesses.
Therefore, Two Factor Authentication became necessary
The authentication process is made significantly more secure by combining passwords with biometrics (something you are) or a smart card (something you possess).
For signing into corporate systems, it is now standard practice to need a one-time password generated by an RSA token or smartphone soft token in addition to a password. To sign in securely, you must know the password and have the device in your possession at all times.
In contrast to passwords, biometrics, such as the usage of a fingerprint reader or a retina scan, is less prevalent yet extremely effective when used in conjunction with them.
The requirement for two-factor authentication serves as a reminder that passwords are ineffective.
There has to be a better solution out there. Yes, there is.
SQRL (Squirrel) will destroy the need for Logins and Passwords
SQRL is an acronym that stands for “Secure Quick Reliable Login.” Steve Gibson, one of the most prominent figures in the field of cybersecurity, is the man behind SQRL. The Security Now podcast is hosted by Steve Gibson. He is also the author of several books on cybersecurity. Steve is one of my favorite persons in the cybersecurity industry. He has a great sense of humor.
Since the genesis of the concept in 2013, Steve and his team have been hard at work building SQRL. This protocol/method is still in the early stages of development, but it appears to be on the verge of being ready for use. Gibson Research offers an SQRL demonstration.
The best part about SQRL is that it is completely free and open, and it will continue to be that way indefinitely. Steve Gibson founded SQRL to meet a need rather than to generate money. Thousand of hours of development and study were “donated” for the benefit of the cyber world – a very honorable act on the part of the developers and researchers.
The login page for the SQRL demo can be found here:
The SQRL process is both simple and brilliant.
You will need to have the SQRL app installed on your phone for this to operate. A private key would be contained within this application.
The URL and domain of the website that you are attempting to connect to are contained within the QR code (as shown in the above image). Through the scanning of the QR code, you will be able to generate a public/private key pair by combining your master key with the domain name of the website and using a hashing function (HMAC).
Your phone app would then transmit your public key to the website to establish your identity. The encrypted QR code is transmitted to verify your identity.
Your public key takes the place of your username on this website. You no longer need to enter your password because the encrypted QR code will suffice.
Your public key is a constant – it doesn’t change at any point in time. As a result, the website you are visiting will always recognize you as the visitor.
In addition, because the QR code is encrypted with your private key, the website may verify that you possess the matching private key even if the website does not have access to your private key.
The SQRL procedure is both simple and ingenious in its execution.
The following are the steps depicted in Steve Gibson’s process drawing:
The Amazing Advantages
The Exceptional Advantages
SQRL is ridiculously simple to operate.
One of the most advantageous aspects of this system is that it enables you to authenticate at a website extremely quickly and with little effort on your part. By entering their email address and creating a password, the user will not be required to create an account on the website in the first place.
When you have set up SQRL, it is as simple as clicking on the SQRL logo to register an account on a blog or any other website after that. It only takes one step to complete the task. It’s a piece of cake. This is referred to as “frictionless.”
How Will SQRL Unfold?
While SQRL is innovative, it is also extremely simple to use. Because of its simplicity, there isn’t a lot that can go wrong in terms of performance. The fact that it is so simple means that it is unlikely that there will be any problem fixes.
SQRL is quite safe.
No one should ever expect SQRL to be held responsible for any data losses that occur as a result of hacking or social engineering. The sheer nature of SQRL ensures that it is safe. A breach would imply that a hacker has gained access to the public keys of the users in question.
However, it is unlikely that anyone will be concerned if their public key is made public.
Your public key is, as the name implies, accessible to the general public. The hacker would not be able to impersonate the users because the private key of the users would remain confidential.
When it comes to creating a log-in, SQRL is preferable to utilizing Facebook or Google.
Although using Facebook and Google to generate logins for websites is extremely simple, it poses a far higher security risk. When you choose this strategy, you are forced to rely on a third-party website for your authentication. The penetration of a third-party website results in the compromise of every login that you have on your computer. When it comes to security, this snowball effect isn’t the best situation to find yourself in.
What Will Be the Outcome of SQRL?
At the moment, only a small number of individuals are aware of SQRL, how it operates, and the benefits it provides. There are very few people who understand how SQRL works and how powerful it is, other than security nerds (like myself) and Steve Gibson aficionados (also like myself).
I anticipate that Steve and his team will complete the development of SQRL shortly. I’m looking forward to the official launch of the website. The adoption will be extremely slow at first, as only security nerds will be interested in using it. However, once the entire extent of SQRL’s power is realized, the organization will begin to gather traction and media attention.
Certainly, the folks at TechCrunch will write an article about it.
Soon, SQRL will replace HTTPS as the de facto security standard for websites on the internet. You will be hard-pressed to find a WordPress site that does not make use of SQRL in some capacity. If your site does not make use of SQRL, you will be at a competitive disadvantage.