Category Archives: Security

SQRL’s Fatal Flaws

Steve Gibson‘s SQRL authentication has two fatal flaws: future identities are too easily compromised and using it with multiple devices becomes more difficult over time. Since it relies on derived keys to generate each identity a single, compromised identity-unlock-key (IUK) puts all past and future secrets at risk. At least until one knows it has leaked.

SQRL tries to mitigate this derivation weakness by its ‘rekeying’ feature. Though that rekeying requires updating the identity file on all devices that need it as well as revisiting all previously used services. One must go through the rekeying and revisiting process any time ones IUK is compromised.

Such rekeying doesn’t help when one doesn’t know the IUK has been compromised. Meaning attackers with the key could create an identity before a user has tried. Then when the real user signs into their ‘new’ identity the attacker also has access, they may even have primed the account with weaker privacy settings.

Password Vaults have a similar weakness which could expose all past secrets, but no future ones. And since there is typically a different (random) password for each service the size of the data an attacker needs to extract is often larger. Bigger payloads are usually more difficult to exfiltrate completely and are more likely to be noticed.

As far as I can tell there doesn’t seem to be a solution to these fundamental issues with SQRL. But I’d love to be proven wrong. So if this assessment has any inaccuracies or you have thoughts to share then please leave a comment.

UPDATE: Full disclosure, I created a premium plugin for the KeePass Password Safe.

Thinking Of Password Strength Like Slot Machines

Instead of communicating password strength—specifically unpredictability—as ‘bits,’ let’s consider using slot machines as a metaphor. Bits of entropy are the traditional way of describing the randomness and variety, though it can be intimidating or too abstract for some users. It can also overlook that each ‘character’ in the equation is actually an entire word, since those are easier for users to remember. Slots are relatively simple machines which randomly rotate among variations of options and line up together like letters or words in a passphrase. So this metaphor may help users better understand the strength of their passwords.

Let’s imagine that slot players are thieves looking to steal the money in your bank account. Slot positions or wheels can be thought of as each character or word in your password or phrase. And the varieties of slot fruits represent the possible characters or words in your secret. Now if a player happens to line up each of them they’ll strike jackpot and get access to all your money. Preventing unwanted jackpots like that requires choosing passwords or phrases that are unpredictable. So we want a lot of different fruit (characters/words), as many slot positions as practical (as long as possible), and no pattern among the slot choices (no relationship between them). More is stronger.

It’s important to keep in mind that if we choose a password as a collection of words (not random characters) then our ‘fruit’ or dictionary cannot be counted as each character. In that case it must be counted as each whole word. Attackers know that people often use words because of frequent passwords leaks. So any pattern we choose should be considered public knowledge.

Now, to gauge how strong a password (jackpot) is we can multiply the number of possible words/characters (fruit) together repeatedly, one for each slot position. Consider that three words with two slots is 3 x 3 or 9 possible values. Put another way we take it to the exponent: 3 ^ 2 = 9. Guessing randomly the attacker/player would probably hit the jackpot in half as much, on average. So that password would typically require 9 / 2 or 4.5 guesses to get right. That’s really weak.

Expressing that as attempts gets out of hand quickly since at 1000 words/characters with 3 slots we’ve got 1,000 ^ 3 or 1,000,000,000 which is one billion. A dictionary or fruit basket of 10K with 5 slots would be 100,000,000,000,000,000,000 or one hundred quintillion, on average guessed in fifty quintillion attempts. If these numbers are too unwieldy we could use the ‘bits’ method to make these numbers easier to read and reason about. Then our 10,000-5-slot password would be log base 2 of 100 quintillion or about 66.4 bits. Still it would be important to remember to take care when filling in the ‘fruit’ or dictionary number to avoid counting characters when we’re actually using words.


Each of the password requirements (many kinds of ‘fruit’, multiple slot positions, unrelated ‘fruit’ choices) is important, and that makes strong password/phrase choices hard to remember. Typically we also have many accounts with a variety of website and services. Ideally each account should use a different, unrelated password than all the others. For this reason a password manager makes life more practical. Properly designed they can encrypt all the random passwords or phrases with one, strong-yet-memorable password. If you aren’t using one please try making it a part of your daily routine for a month. It could save you a lot of time and headache by avoiding the loss of your accounts or funds.