EFF’s Dice Random Number Generator digitized to become DicePass.org

TL;DR – this is why (and how) I created the electronic version of EFF’s Dice.

dicepass
I love the Electronic Frontier Foundation (EFF) and believe in their just cause. I support it as much as I can and try to educate as many people as I can about their rights, privileges online and how to correctly behave in this new found jungle.

A while back I got a post about their new “toy”/campaign EFF’s Random Number Generator also known as Dice.

The idea behind it is to help people generate more secure passwords that they can actually remember and the means to do it was so simple. A dice. Or 5 (if you want to optimize).

The concept is simple.

  1. Roll a dice and record the digit. Do it 5 times.
  2. These 5 numbers now represent a 5 digits number.
  3. Lookup a word associate with this number in a wordlist such as this one.
  4. Repeat the process 6 times so that you have at the end 6 words.
  5. You are now the proud owner of a passphrase that has roughly 2⁷⁷ variations (that about 221,073,919,720,733,357,899,776 variations)!

That’s it.

So simple. If the words you got are reasonable enough you can even construct a sentence from it and it will be even easier to remember.

EFF created these 5 custom dices as part of their summer security reboot, so it will take a lot less time to physically generate the passphrase.

While I enjoy rolling dices as much as the next person, I thought it would be interesting to create a (rather) secure version of it that can (if needed) be hosted online.

While investigating about secure Pseudo Random Number Generators (PRNG) in JavaScript I found out about crypto.getRandomValues which is an API implement inside modern browser that uses the Operating Systems’ PRNG (find out if your browser support it)

So, I’ve created DicePass (you can also get the code on Github). You can use the hosted version or clone the repository and run it locally (just open index.html in your browser).

The hosted version doesn’t use any tracking code (no Google Analytics) or 3rd parties that can track you. Even the share buttons are custom implementation using a URL that opens in a new window/tab to protect your privacy.

Feedback, comments and pull requests are welcome.

Enjoy, and use long random passphrases!

 

Some more interesting speculation about Google’s future plans

I’ve just stumbled upon this, which seems to contain some very interesting speculations as to Google’s future plans.

They all strengthen my point about in my previous post that Gmail IDs are a Passport like system for authentication and they will be used throughout current and future services. They are already being used in most of Google’s personalization sites.

Another thing the link I started with talks about is the fact that Google Talk is also more about managing your contacts and you can see that the integration with Gmail and its Contacts into Google Talk also adds to the fact they it is heading to a more centralized authentication system.

I will not be surprised if they will join Project Liberty, or even worse, start their own initiative.

I don’t mind having a single authentication system but I don’t want it centralized in one place. I would rather have it decentralized like the DNS system or like Jabber and the XMPP specs are. Heck, even the fact that Linux is not controlled by a single vendor is one of the things that make it very compelling to a lot of organizations and people. The fact that you can switch between two distributions is very important to businesses as well as the fact that it generates a positive competition conditions that are all good for the customer.

Don’t forget that one of the few things that killed Microsoft’s Passport true vision and Microsoft’s Hailstorm project was the fact that no one wants to have all of its information stored in one vendor’s system and if Google are indeed going in that direction they will stumble upon the same issues that killed Microsoft’s projects.