Nougat

tl;dr: “Strike that, reverse it.”

They can bid all they want to put ads in front of me, I ain’t gonna see them. Of course, they probably know that, too.

Bad actors can afford $50 the same as good ones.

The difference between $0 and $50 isn’t really relevant.

LetsEncrypt is legit. A downside is that the certs expire after 90 days. However, that also carries an upside in that it limits the damage in case a certificate is compromised. There are procedures by which you can automatically renew/request (I forget whether they allow renewing an existing cert or require a brand new one) LE certs and apply them to your application, but that can be fiddly to configure.

If you’re not comfortable with configuring automatic certificate cycling, a long-term paid cert would be more appropriate.

While “Cisco Duo” is not listed here:

The following is a list of Cisco’s trademarks and registered trademarks in the United States and certain other countries. Please note, however, that this listing is not all-inclusive and the absence of any mark from this list does not mean that it is not a Cisco trademark.

Trademarks are exactly how rules for naming things works.

Expect this name to change when Cisco comes at them for being too close to Cisco Duo.

To address the “why”:

A user account, as defined by a username/password combination, can be used to access resources on the machine without logging in interactively on that machine. In a perfect world, you would only ever log in interactively on the machine using an account with restricted permissions, and when you needed to do “administraty” things, you would provide separate admin credentials at that time (sudo, runas, whatever your OS of choice supports).

Bonus question - what are the risks of having a weak password on a root user on a spare laptop on the same network as my main device that is used exclusively for web browsing?

If someone is able to compromise that root user on Machine A, then they may be able to leverage Machine A as a platform to attack any other devices on your network, or make Machine A into a zombie in their bot army to attack other targets anywhere, send spam, whatever malicious shenanigans they desire. (I know that’s pretty simplistic, there’s a whole lot of details left out, but that’s the gist of it.)

Also, nobody has yet mentioned the PIN option. I know that Windows machines (at least some of them, depending on configuration) allow you to configure a PIN for logon for local accounts. This PIN is only stored locally on the machine, and is not transmitted anywhere else. It’s basically a “shortcut” to the full password, and I think it can only be used for interactive logon.

And you might even - wait for it - come across things that you weren’t expecting to, or don’t fully agree with. Being exposed to ideas like that is much healthier than being fed what an algorithm decides will elicit engagement from you.

Try different toothpastes. The very popular ones (Crest, Colgate) I find treacly sweet and disgusting, and I fucking hate mint anything. Arm and Hammer is my go to for that bland goodness. YMMV.

I’m just sad that basically nobody I know personally actually uses the fediverse

oooOOOooooo look at this one, they know people personally.

It’s also possible to have Windows log in as a specific user at boot, without user input. Regardless of operating system, your logged on session is in the context of some user account, whether you interactively log in or the system does it for you.

The PIN is stored locally on the machine only. It doesn’t get synced with anything anywhere. It’s actually much safer to use a PIN for authentication because it’s four digits that you (well, maybe not you) don’t have to write down, and the only time it works is on the physical machine. The user account password can be long and/or complex, but if you’re only ever authenticating at the keyboard, all you have to remember is the PIN.