EFF’s Dice Random Number Generator digitized to become DicePass.org

TL;DR – this is why (and how) I created the electronic version of EFF’s Dice.

dicepass
I love the Electronic Frontier Foundation (EFF) and believe in their just cause. I support it as much as I can and try to educate as many people as I can about their rights, privileges online and how to correctly behave in this new found jungle.

A while back I got a post about their new “toy”/campaign EFF’s Random Number Generator also known as Dice.

The idea behind it is to help people generate more secure passwords that they can actually remember and the means to do it was so simple. A dice. Or 5 (if you want to optimize).

The concept is simple.

  1. Roll a dice and record the digit. Do it 5 times.
  2. These 5 numbers now represent a 5 digits number.
  3. Lookup a word associate with this number in a wordlist such as this one.
  4. Repeat the process 6 times so that you have at the end 6 words.
  5. You are now the proud owner of a passphrase that has roughly 2⁷⁷ variations (that about 221,073,919,720,733,357,899,776 variations)!

That’s it.

So simple. If the words you got are reasonable enough you can even construct a sentence from it and it will be even easier to remember.

EFF created these 5 custom dices as part of their summer security reboot, so it will take a lot less time to physically generate the passphrase.

While I enjoy rolling dices as much as the next person, I thought it would be interesting to create a (rather) secure version of it that can (if needed) be hosted online.

While investigating about secure Pseudo Random Number Generators (PRNG) in JavaScript I found out about crypto.getRandomValues which is an API implement inside modern browser that uses the Operating Systems’ PRNG (find out if your browser support it)

So, I’ve created DicePass (you can also get the code on Github). You can use the hosted version or clone the repository and run it locally (just open index.html in your browser).

The hosted version doesn’t use any tracking code (no Google Analytics) or 3rd parties that can track you. Even the share buttons are custom implementation using a URL that opens in a new window/tab to protect your privacy.

Feedback, comments and pull requests are welcome.

Enjoy, and use long random passphrases!

 

Lets Encrypt Error: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge

Are you using Lets Encrypt? (If not, you should go ahead and use it to generate SSL certificates to ALL of your web servers).

If you want to run it on EC2 or GCE using the –standalone argument (./letsencrypt-auto certonly –standalone -d example.com) make sure port 443 (for SSL) is open on that server.

Otherwise you’ll get the infamous:

The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge

Go ahead. Install it. Today.

GoogleWorld the new Web and privacy

Whether it is Gmail, Google Base, Google Video, Google Answers, Froogle, Google Blog Search, Google Book Search, Google Maps and Google Toolbar, Google seems to be conquering the world by offering a lot of services in different and diverse areas.

(You can get a good review of the various Google Services here)

With your Google Account (which is also your Gmail email), Google can also track a person specifically and learn things about what him/her, what he/she searched for, shoped, interest in, etc.

Actually, according to this, Google also learns a lot about you even without having a Google Account.

The main problem with Google is that they are not actually showing the users what they are doing with this information.

Yes, they have privacy policy. Yes they claim they are “not evil“, and to some degree I believe them, but I really want to know what is being done with the information being gather on me.

Let me take Amazon as an example. When I buy things at Amazon they save it in their database. They also encourage me to fill in a wish list or even mark products that I already own so they will be able to offer me products that I’m interested in.

In addition to that, when they recommend something to me they always tell me why this product was offered to me and I can directly see and understand what they did with the information they gather about me and the information I have supplied them.


amazon-recommendation.jpg


Google will soon hit the privacy wall hard and as more sites of the “forbidden word” will start gathering more and more information about people and their doings, I think its time for Google and the rest of the world to start actually showing to people what is being done with this information.

A good start would be like Amazon is doing by telling you why things have been recommended.