Everyone should be using a good password manager, as there is simply no other way to remember and deploy strong unique passwords for every website, service, and app that you use. While using a password manager makes it easy (just do it, ok?)! Using Diceware methods we show you how to create memorable passwords that are also secure to ensure your privacy.
The only real snag is that password managers are themselves secured with a master password. Which is, itself, something that worries many people, as it provides a single point of failure? If that one password becomes compromised then all your other passwords do too.
The use of two-factor authentication mitigates against this problem quite considerably, but the fact remains that a lot rides on the master password.
And here is the catch – us poor humans are very bad at remembering genuinely secure passwords (D*pS8t3^/um=KRJ anyone?). And you can’t, of course, use your password manager to remember it for you!
The same issue affects unlocking mobile phones and other situations where a strong password is needed before you can deploy a password manager.
So what we need is a password which is genuinely secure, but which we can actually remember…
What is Diceware?
Diceware is a method helps to improve password security by randomizing word selection to create “passphrases” that humans can remember. Although memorable, these passphrases are also extremely secure. Below we have listed some examples of Diceware passphrases:
- sediment preschool reactor area crux plentiful domestic
- entitle slinky vigorous blinking exhaust fresh lunchtime
- reappear roving pectin twirl antacid folic marbles
Each word adds 12.9 bits of entropy to the passphrase. The above examples all use 7 words (90.47 bit entropy), but you can use as many as you like. The minimum recommended number these days is 6 (77.55 bit entropy), up from the original recommendation of 5 (64.62 bit entropy). More than 10 words is very hard to remember.
Why Passphrases are secure
One key factor affecting the security of a password is how long it is (in technical jargon this translates to its size in bits). Sentences are longer than words, with the bonus that spaces and capitals add additional entropy (in the same way using -#$ etc. in a password makes it harder to guess or brute force).
“I like taking Spot my dog to the park on rainy days” is a lot more secure than “spotismydog,” but is also easy to remember.
So a passphrase you can remember is almost always better than a password you can remember (as opposed to a computer-generated one you are unlikely to).
Which is all well and good, but it’s still not that secure. Us humans can’t help but think in patterns, and invariably make up sentences which have some kind of logical sense or meaning to us, using words which have a guessable relationship to each other.
How does Diceware work?
Diceware uses a list of 7776 short words, abbreviations, and easy-to-remember character strings to generate a word. To use, simply throw five dice (yes, actual physical 6-sided dice!) one at a time, or all at once reading from left to right, and cross-reference the result with the list.
Below is a short sample from the original Diceware list:
Since the original list was created in 1994, additional lists have been created to cater to some 30 different languages. In addition to this, in 2016 the Electronic Frontier Foundation (EFF) published three alternative English lists using words which are on average longer than in the original, but which are intended to be easier to remember.
There is also a special list for adding symbols and other weird stuff (&^%#@) that some password forms insist on.
Can I use a computer to generate Diceware passphrases?
It is, of course, possible to use a computer to do the hard work for you. Indeed, many password managers (such as KeePassXC below) and websites offer to do just this.
You should be aware, however, that computers really struggle with true randomness. The clue is in their name – they compute. They can simulate randomness by computing algorithms to reach a result, but because they are just algorithms, the “pseudorandom” numbers generated ultimately predictable.
It’s up to everyone to assess their own threat models, but using real physical dice to generate Diceware passphrases is much more secure than relying on a predictable computer algorithm to do it for you.
Diceware is completely free to use. Word lists and full documentation is available on the official Diceware Passphrase home page.