Home page logo

educause logo Educause Security Discussion mailing list archives

SQRL (Re: [SECURITY] Image, word, and password login)
From: Ben Marsden <bmarsden () SMITH EDU>
Date: Fri, 6 Dec 2013 16:07:17 -0500

I hate passwords as an authentication tool...

and I side with the concept that biometrics assert identity, not

So, is anyone else looking at SQRL as a possible implementation option?
 IMHO it's a pretty nice concept, but it's in the early stages of

In a grossly oversimplified nutshell, it uses site-specific asymmetric key
pairs to identify / authenticate an individual with pretty minimal user
interaction -- seems both easy to use (user friendly) and robust (PEBKAC
averse + compromise resistant).

  *https://www.grc.com/sqrl/sqrl.htm <https://www.grc.com/sqrl/sqrl.htm>*
    *http://www.sqrl.pl/ <http://www.sqrl.pl/>*  -- for a more graphical
description of the process

 fwiw,  -- Ben
Ben Marsden : Information Security Director, CISSP/GISP
ITS, Stoddard Hall, Smith College, Northampton, MA 01063
bmarsden () smith edu     (413) 585-4479
=--> Any request to reveal your Smith password via email is fraudulent!

On Fri, Dec 6, 2013 at 3:36 PM, Karl Bernard <karl.bernard () gmail com> wrote:

A colleague mentioned this thread to me and I'm a consumer of this same
technology (site authentication) at a couple of financial sites. Until
today, I'd always thought it was pretty cool until I was trying to find
the official name for this kind of thing and found some less than
stellar articles and studies about using them:


Karl Bernard
UTHealth, Academic Health Center at Houston

On Fri, Dec 6, 2013 at 1:18 PM, Joel L. Rosenblatt <joel () columbia edu>wrote:


I have an account at a vendor that uses a system like this - I picked
a picture and a word, and when you enter your account (before your
password) it takes you to a page that displays the picture and word
and prompts for the password

It makes the login a 2 screen affair, which may bother some of your
users who think that everything has to be done in subsecond time.

Our web login to our mail system displays

Greetings, Joel Rosenblatt (or your own name :-)

after you type in your account, but before you type in your password -
similar idea, but less pages and it doesn't require the user to do
anything except recognize their name :-)

Good luck!

Joel Rosenblatt, Director Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033<%20212%20854%203033>
Public PGP key

On Fri, Dec 6, 2013 at 2:08 PM, Derek Diget
<derek.diget+educause-security () wmich edu> wrote:
We are thinking about creating a login process where user's pick a
and/or word before getting a password entry box.[1]  The main driver is
prevent phishers from copying our "static" login pages.

The process would go something like....

0) Training, Training, Training...and other carbon based life form user
issues...... :)

1) User gets to our login page
2) User enters login ID
3) login process retrieves user's picture and word choice
4) login process displays user's picture with 8 (or 11) others randomly
5) User selects their picture
6) If correct, login process displays user's word with 8 (or 11) others
7) If correct, login process give user a password text box to finish

(Yes, a phisher could duplicate the pictures and words and disregard
the user picks...so the user would always get to the password box, but
current thoughts is that it would take to much "work" for them to
this new login process and there are other easier fish in the sea to

I have two questions to the group....

1) Is there an industry term for this type of authentication process?
kind of is two-factor, but we want to avoid using that term as most
think of two-factor having a physical component...token card, key fob,
phone, etc).

2) Does anyone know of any research on a multi-step authentication
like this?  Be it usability issues, increased security, etc.

Note 1: We vet the user.  As part of the process of setting a password,
also pick a picture out of ~12 (with a library of 100+) choices and
their choice.  They then pick a word out of ~12 (with a library of 100
or so
words) and store their choice.  Then they finish setting a password.

Derek Diget                            Office of Information Technology
Western Michigan University - Kalamazoo  Michigan  USA - www.wmich.edu/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]