EFF’s Dice Random Number Generator digitized to become DicePass.org

TL;DR – this is why (and how) I created the electronic version of EFF’s Dice.

dicepass
I love the Electronic Frontier Foundation (EFF) and believe in their just cause. I support it as much as I can and try to educate as many people as I can about their rights, privileges online and how to correctly behave in this new found jungle.

A while back I got a post about their new “toy”/campaign EFF’s Random Number Generator also known as Dice.

The idea behind it is to help people generate more secure passwords that they can actually remember and the means to do it was so simple. A dice. Or 5 (if you want to optimize).

The concept is simple.

  1. Roll a dice and record the digit. Do it 5 times.
  2. These 5 numbers now represent a 5 digits number.
  3. Lookup a word associate with this number in a wordlist such as this one.
  4. Repeat the process 6 times so that you have at the end 6 words.
  5. You are now the proud owner of a passphrase that has roughly 2⁷⁷ variations (that about 221,073,919,720,733,357,899,776 variations)!

That’s it.

So simple. If the words you got are reasonable enough you can even construct a sentence from it and it will be even easier to remember.

EFF created these 5 custom dices as part of their summer security reboot, so it will take a lot less time to physically generate the passphrase.

While I enjoy rolling dices as much as the next person, I thought it would be interesting to create a (rather) secure version of it that can (if needed) be hosted online.

While investigating about secure Pseudo Random Number Generators (PRNG) in JavaScript I found out about crypto.getRandomValues which is an API implement inside modern browser that uses the Operating Systems’ PRNG (find out if your browser support it)

So, I’ve created DicePass (you can also get the code on Github). You can use the hosted version or clone the repository and run it locally (just open index.html in your browser).

The hosted version doesn’t use any tracking code (no Google Analytics) or 3rd parties that can track you. Even the share buttons are custom implementation using a URL that opens in a new window/tab to protect your privacy.

Feedback, comments and pull requests are welcome.

Enjoy, and use long random passphrases!

 

Lets Encrypt Error: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge

Are you using Lets Encrypt? (If not, you should go ahead and use it to generate SSL certificates to ALL of your web servers).

If you want to run it on EC2 or GCE using the –standalone argument (./letsencrypt-auto certonly –standalone -d example.com) make sure port 443 (for SSL) is open on that server.

Otherwise you’ll get the infamous:

The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge

Go ahead. Install it. Today.