> From: Chase Hoffman [mailto:driftpeas...@driftpeasant.org] > > How does this compare to Steve Gibson's SQRL?
Well, there's basically no similarity. They're both alternatives to sending your password to a server, and the similarity ends there. In CBcrypt, the servername, username, and password are all combined to create a site-specific, user-specific, password-specific keypair, a keypair that is deterministically recreatable by anyone who can combine those ingredients together (which requires knowing your password.) Only the username and public component are sent to the server. There is no need for any keychain manager or clientside app, as this can all be done in javascript, java, .NET, or whatever. The only thing a user needs to carry with them is knowledge of their own secret password, which is never disclosed to anyone, but *is* securely verifiable nonetheless. If SQRL is going to take off, it sounds cool. But it requires a client-side application performing the task of keychain management, and if a user travels from device to device, they must synchronize their devices together somehow. There are a bunch of people writing articles about problems with SQRL on the internet, but that doesn't necessarily mean it's a bad thing. I think most, if not all, of its problems can be solved except for the necessity to carry something with you and synchronize it with yourself at other devices. _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
