Category: General

Let’s Encrypt is a project aimed at making the internet safer, at least a bit. The means is to automate PKI certification creation to the point when the price drops to zero or at least close. Let’s Encrypt hands out their certificates for free, although donations (even small ones) are welcome. Google is encouraging https connections by ranking them higher in search results. Chrome browser has started warning about non-https sites.

If your web hosting provider supports Let’s Encrypt, start using it. Even if they don’t mention it on their pages, you can still ask why it is not supported. Especially if they have links for commercial certificate providers.

If you run your own servers you have to work little harder. The automation behind Let’s Encrypt means that there is no web user interface for the service. You need to have a script on the server that will install and renew the certificate automatically. EFF provides CertBot that makes this easy on most Unix-like operating systems. Installation and deployment depend on the OS and web server, but EFF’s web page has instructions for the most popular ones. There are several alternatives for Microsoft Windows.

In general you need to create a hidden directory .well-known on your web site, where the script will create a file for the duration of the transaction. This is how Le’ts Encrypt can verify that the request comes from the correct domain. This verification method can cause problems, because the domain on the certificate must be accessible from the internet by https. For example you can not get a certificate for an internal-only website like an intranet (at least without some extra steps) or non-http services unless they are on the same server as the http server.

The script will save the public and private keys on the disk. You can set the file path in script settings, but the default is fine as long as you add the full paths to your web server configuration.

The certificate will be valid for 90 days only, but thanks to the automated renewal you won’t notice when it is renewed. Let’s Encrypt recommends running the script twice a day to ensure smooth renewal. Most of the times the script will do nothing, so it does not tax your server.

The certificate on this site is from Let’s Encrypt. You can check it by clicking on the lock symbol in the address bar (or whatever symbol your browser uses).

Links:

• Let’s Encrypt
• CertBot
• Alternatives for CertBot

Everyone knows, that passwords should be long, complex, nonsense and so forth. The problem is, such passwords are impossible to remember, especially when you need a lot of them and they need to be changed periodically. That’s why most users use the same password for all services. However, that is the worst solution. It would be more secure to write down all different passwords in your notebook. If there is a leak in one service, the hackers will try the same usernames and passwords in Facebook, GMail, Twitter etc. Usually they succeed in many cases. Then the hackers can expand the identity theft and perhaps convince your friends to step into a trap.

How should you do it?

Make up a permanent password

Make up a password that contains upper and lower case letters and a few special character and number. Start with a simple word with at least six characters, let’s say garage. Replace the r with a 4 to get ga4age for example. Replace the last e with # to get ga4ag#. Capitalize all the vowels to get gA4Ag#. That is starting to look like a proper password. Try to type it on the keyboard. Is it easy enough to type or should you change something? In the best case you should use keys alternatively from both ends of the keyboard, because that way it is faster to type with two hands. In that sense gA4Ag# is not the best choice, but will do as an example here. Avoid characters that are special to your locale. For example ü or ß would appear on every German keyboard, but may be hard to find elsewhere. Avoid also currency symbols like $, £ or €. You may one day need to type your password in a Asian internet cafe. Don’t worry about remembering this password. You will learn it by heart because you will use it everywhere and it will not change.

Make up a word for every service you use

Associate a word for every service. For example workplace account could be payday, frequent flyer account airport, pet forum doggies, email letters etc. Don’t choose the shortest words. Even better if you can come up with more personal associations. Like if you love to fly to beach resorts for vacations, use beaches for the frequent flyer account. Write down the names of the services and the associated words. You can use paper or a notebook, but even better is a file in DropBox, OneDrive, GMail or such (but then you must remember that password!) If this list leaks out, it is of no use without the permanent part and the formula.

Invent a formula to combine the two

Make up an algorithm to combine these. For example two characters from the service word, then the permanent password and the rest of the service word. That would make gA4Ag# + beaches = begA4Ag#aches. Or two characters from each, then the rest or begAaches4Ag#. However you do it, make sure your method splits the service word into at least two sections. You can also use first or last syllables instead of a character count.

These passwords are safe from both dictionary and brute force attacks. They won’t exist in any dictionary and are long enough to defend against systematically trying all character combinations. If you need to renew the password you only need to come up with a new word for the service. There is no need to ever change the permanent password or formula as long as they are kept secret. That’s why you mustn’t write them down!

Deployment

This is how far you can get as a mental excercise only. To actually deploy this takes some effort. You need to log on to every service and update your password. You only need to do this once, but it will take an afternoon or so. We all have quite a few accounts to manage. Start with the service you use most: workplace account, AppleID, Facebook, GMail… You will later come across services you didn’t remember, but always change the password to the new system as you log on.

Here is an Excel spreadsheet where you can try the different password rules described: [Download]