DicePass Passphrase Generator

Originally developed by Arnold G. Reinhold, Diceware is a technique for generating random passwords that you can actually remember. This tool adapts the original scheme using a variety of published worlists.

Generator

Introduction to Password Strength

Passwords like L20VtG7KTdC952DkJChp are very secure because to guess the password, a hacker's best shot is to try random combinations of 20 uppercase letters, lowercase letters, and numbers. Let's call this the "key space" of possible passwords. For each of the 20 positions, there are 62 possible characters, so the key space has 6220 entries in it. This is a huge number, so to make these numbers more manageable, we take the base-2 log of the key space size to get around 119 bits of entropy for this password.

The key takeaway here is that if we choose a password at random from a known key space, then even if a hacker knows what key space we used, they can do no better than randomly guessing passwords in that space. If the space is big enough, they will essentially never guess our password. We can measure the strength of a password as its entropy. The higher the entropy, the stronger the password.

A quick side note: entropy is also used to measure the strength of encryption keys. For example, you might have heard of 128-bit AES encryption. This means that the encryption key had 128 bits of entropy, which NIST considers safe for use beyond 2031 (see page 59 of NIST.SP.800-57pt1r5). To protect against quantum computing, which effectively cuts the stength of symmetric encryption in half, some people use 256-bit keys.

Entropy Requirements for Password Managers

It's hard to know just how much computing power a hacker can bring to crack your password, but let's use results from a cracking competition run by 1Password as a guide. They found that with 1000,000 rounds of PBKDF2, which is a common step used by password managers to slow down cracking, it would cost $1.4 trillion to break a password with 70.81 bits of entropy. For another perspective, Reinhold argues that 90.4 bits is currently uncrackable, and 103 bits should be secure through 2050.

Passphrases for Random, Memorizable Passwords

The problem with passwords like L20VtG7KTdC95 (77 bits of entropy) is that they're practically impossible to memorize. To make memorization easier, the Diceware technique calls for selecting words at random instead of random characters. We can make a list of words and choose them at random to get a passphrase, and we can calculate that passphrase's entropy in the same way as we did with the random password above.

Using this Tool to Generate Passphrases

This tool draws words at random from a wordlist of your choice and selects the number of words you request. Then it shows the selected words and passphrase strength.

Security Considerations

Ordinarily, you should never use a password generated for you online. However, this tool doesn't use the internet at all. It is a single HTML page that you can (and should) run offline. In fact, this tool will refuse to generate a passphrase unless you turn off your internet connection. You should also only run this tool in an up-to-date browser that you trust (since a malicious browser could steal your passphrase) and that has no extensions (since a malicious extension could also steal your passphrase).

Nothing in this file requires internet access, so if you want to be extra sure that it's not sending your passphrase anywhere, you can copy the file to your computer, shut off the internet, open it in your browser, compute your password, and then quit the browser before turning the internet back on. If you are viewing this page over the web, you can download the HTML file for use offline by using your browser's "save" feature.

Lastly, to help ensure no one has tampered with this file, you should download it over a secure (HTTPS) connection. This tool will refuse to run if it is not loaded either over HTTPS or from a local file.

If you are really sure you know what you are doing, you can bypass the safety checks described above by adding an unsafe=true query parameter to the URL when loading this tool.

Password Lists

There are a number of wordlists available--you can choose whichever one you prefer. Recall that we're relying on the enormous space of possible keys to keep us safe, so it's okay if a hacker knows which list you used.

EFF

The EFF list comes from the Electronic Frontier Foundation. As they discuss in a blog post, they adapted the original Diceware lists to make the words more familiar to average English speakers, more concrete, and less profane.

Diceware Original

This is the original Diceware list from Reinhold's website.

1Password

When 1Password ran a password-cracking competition, they released the list of words their version of Diceware uses. This option uses that list, which is longer than the EFF or original Diceware lists. Since the list is longer, you can get a given amount of entropy from fewer words.

Multilingual

Jeffrey Goldberg of 1Password put together a larger collection of wordlists from different languages. This allows for passphrases of the same strength as the original Diceware scheme with fewer words. While his original discussion of these lists appears to have been removed, the files are archived at the GitHub repository tianhuil/dicewords.

Technical Details

You can inspect the source code of this page, which includes the graphical interface, the word-choosing code, and the wordlists all in one file, if you want to see the details of how it all works. Excluding the wordlists, it's only about 270 lines, with only about 40 of those lines containing the meaningful logic (the rest is the graphical interface).

If you don't want to read the code, however, here's a summary of the process we follow.

  1. Check that the user has entered a valid number of words, is accessing the page over a secure context, and has disabled their internet connection.
  2. Use the getRandomValues() Web Crypto API to get a random 32-bit unsigned int. Note that the WebCrypto API is suitable for cryptographic use.
  3. Check whether the selected random number is greater than or equal to the number of 32-bit unsigned ints floor-divided by the length of the wordlist, all times the length of the wordlist. If it is, then we pick a random number again. If we didn't do this, then it would be more likely for us to pick earlier words than later ones. For example, suppose we were generating a random number from 0-9 and were picking from a list of 4 words. In the next step we use a modulus operator to convert the random number to an index, so there would be 3 random numbers mapping to the first word (0, 4, and 8) but only 2 random numbers mapping to the last word (3 and 7). With our safeguard in place, we only allow random numbers less than 8, so there are 2 random numbers mapping to each word. For another discussion of this algorithm, see this forum post by Jeffrey Goldberg of 1Password.
  4. Divide the random value by the length of the wordlist and keep the remainder (modulo operation). This remainder is the index of the chosen word in the wordlist. Add that word to the passphrase.
  5. Repeat by drawing another random value until the desired number of words have been chosen.
  6. To compute the entropy, take the base-2 logarithm of the wordlist length and multiply by the number of words chosen.

Licensing

Copyright (c) 2023 U8NWXD

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.