<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On 18 February 2015 at 21:55, John Denker <span dir="ltr"><<a href="mailto:jsd@av8n.com" target="_blank">jsd@av8n.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="">On 02/17/2015 02:42 PM, Kent Borg wrote:<br>
> Passwords have serious problems, but they are bit like the problems with one-time-pads: cumbersome--but otherwise perfect.<br>
</span>I would have said it differently: Passwords are deeply<br>
flawed in principle, but convenient in practice. An OTP<br>
is almost the opposite: it is perfect in principle, but<br>
inconvenient in practice -- often fatally so.<br>
<span class="">
> Our use of passwords, on the other hand, is terrible. But all the alternatives to passwords are worse.<br>
</span>Agreed. A password, like a chainsaw, can be /used/ in<br>
lots of ways ... some good, some bad. One has to think<br>
very carefully about how to use it. Many things that<br>
look like they might be an improvement end up being<br>
unusable or worse.<br></blockquote><div><br></div><div>As a lay-person, but with some degree of interest, does the group have any particular views in any direction on the Steve "GRC" Gibson system SQRL? It seems to me (ignoring that it's Steve Gibson who wrote the concept and implementation) that it's a mostly acceptable alternative to having to remember large numbers of passwords, of having a password manager, or requiring dedicated hardware fobs.<br><br></div><div>That is, you have a single "master" password that unlocks the credential tool, you have a simple login mechanism (click on, or scan the QR Code), and zero knowledge of the actual credential on the target device. It's wrapped up in such a way that transferring the master credential between devices is simple (again, a scan of a QR code) yet (apparently) difficult to brute force... and apparently (again, I'm a lay-person in this) is easy to revoke a credential and replace it with a new one using the same system.<br><br></div><div>I've seen several pages decrying the system as rubbish and as having copied other systems, some people bemoaning that it's Steve Gibson who created it (and, while I don't really care either way about his history, I understand why some people are bothered by him)... but I can't really see many flaws in it (aside from it's requirement for using HTTPS as the transport mechanism in the background).<br><br>--<br><div><div class="gmail_signature">Jon "The Nice Guy" Spriggs</div></div>
</div></div></div></div>