Diceware Password Generator

About Diceware

Weak passwords are a big flaw in computer security due to a lack of "entropy" or randomness. For example, how many times have you used the name of a pet or relative or street in a password, or perhaps the number "1"? Not very random, is it? 😃 Worse still, if passwords are reused between services, that increases your security risk. This is not theoretical, this has already happened.

Fact is, humans are terrible at remembering random combinations of letters and numbers, but we are great at remembering phrases of words. That's where Diceware comes in.

This Diceware web app is based on the original proposal wherein virtual dice are rolled 5 times, and the 5 digit number used against a lookup table of words. 4 dice rolls gives you 4 random words which are easy for a human being to remember, yet have a high amount of entropy which makes them hard to crack.

For more information on Diceware:

• The Diceware Passphrase FAQ
• Original Diceware word list (This implementation uses a different wordlist...)
• Diceware for Passphrase Generation and Other Cryptographic Applications

For more information on the entropy in passphrases, I'd like to refer you to this XKCD comic:

Diceware is a trademark of Arnold Reinhold.

Frequently Asked Questions

FAQ: Why does this website look familiar?

Probably because it was forked from another website, https://diceware.dmuth.org/. I found that website very useful but wanted there to be a few additional features, so I added them to this site!

FAQ: Why not use a Password Manager?

By all means, feel free to do so. Dashlane is a great product and I highly recommend it. That said, there's no reason that Diceware cannot be used concurrently with a password manager.

If you want the absolute highest levels of password security, consider using Strongbox. One neat thing about Strongbox is that it comes with a built-in Diceware client!

If you prefer insults in your passphrases, check out the Insult Passphrase Generator by Ron Hardin. Each passphrase has ~42 bits of randomness.

FAQ: What are some good use cases for Diceware?

• Smart TVs: Diceware is a great fit for password entry on Smart TVs, or any other environment where typing non-alphanumerics is a challenge.
• Work/Shared Computer: Let's say you're using a computer that you do not own, and want to log into a personal account. You may not want to install 1Password on that machine, so if you've generated that account's password with Diceware, it will be much easier to type in on the keyboard.

FAQ: What are some BAD use cases for Diceware?

You should not use Diceware in any cases where it is highly likely an attacker can get a copy of your encrypted password and use high-volume cracking attempts against it. A bad case--possibly the worst case--for using Diceware would be to secure your BitCoin wallet, because all BitCoin nodes have a copy of the BitCoin Ledger, and an attacker could attempt password cracking your wallet.

FAQ: Should I add numbers or an exclamation point to my password?

Not unless you have to. The short answer is that length makes your password more secure than special characters do. But don't take it from me, take it from the man who put us through password hell and regrets every minute of it. This website will generate a random number, special character, or both if you tell it to since several websites out there still require you to include either or both.

NIST has since released new password creation guidelines in a document which is rather lengthly, but summarized nicely here.

FAQ: Will this protect me from phishing attacks?

Nope, even the best password in the world won't protect you if it is phished. However, having a password unique to that service will help mitigate the harm. Two Factor Authentication will also help you.

"I can't believe you're sending passwords over the Internet!"

Chill. I'm not. Passwords are generated within your browser and do not leave it (unless you copy them out yourself).

FAQ: Are these dice rolls cryptographically secure?

Yes, insofar as we're using the getRandomValues() function in Javascript, and you trust that your browser and computer have not been compromised or otherwise tampered with. Keep in mind that a not-so-theoretical attack would be for an attacker to compromise the random number generator on your computer so that anything that is encrypted (or passkeys generated) would be suspectible to less intense cryptoanalysis.

FAQ: How secure is the Diceware approach?

If you want the absolute worst password security, go right ahead and use the same password everywhere so that when one service is cracked, an attacker can compromise every account you own. (Plz don't do that)

If you want the absolute best security, choose a different password of completely random charcters for each service.

If you want a middle of the road approach that offers medium security, Diceware is the way to go. This article is a bit dated, but the entropy (randomness) with Diceware passwords is substantial and can present a challenge to the NSA.

FAQ: Is the source available?

Yep! You can grab a copy at https://github.com/Grant094/grant094-diceware or see the original code at https://github.com/dmuth/diceware.

In fact, if you are nervous about generating a password on a website (even though the password is actually generated by Javascript in your browser), you can download the source code and run it locally.

If you do want to run Diceware locally, just download the source and run a webserver in Python with this command: python -m SimpleHTTPServer 8000. You will then able to access DiceWare at http://localhost:8000/.

FAQ: Is there a way to roll the dice automatically?

Yes, there is. Append "?debug=n" to the URL to automatically roll the dice N times.

Examples: Roll the Dice 4 times. Or 5 times. Or even 6 times!

FAQ: Can the the checkboxes be automatically selected?

Yeah. Append "?num", "?special", "?skip_animation", or any combination thereof to the URL to check the relevant box on page load.

Examples:

• 4 dice rolls with no animation
• 4 dice rolls with one number
• 6 dice rolls including a number and a special character with no animation

FAQ: Can you tell me more about the list of words?

For rolls of 5 dice, this site uses the worldlist from the EFF. Substantial enhancements have been made over the original list designed to improve usability without compromising security.

The original wordlist, contains a lot of symbols, punctuation, numbers, and 2- and 3-letter words. Another wordlist with longer words, only alphabetic characters, and more commonly-used words is Peter Norvig's list of the 1/3rd million most frequently used words.

FAQ: How many dice are rolled per word?

The default is 5 dice, which allows for 7,776 different words per roll. While there are some debug hooks in the code so that you can run Diceware with 6 dice per word and 7 dice per word (for 46,655 and 279,935 possible words, respectively), the words used become more obscure, which makes them more difficult to remember, which may not be worth it. But for now, the functionality is there.

Meta

Have you built anything else?

Yep! I've built a few things you may find interesting:

• Digital Version of "Super-Skill Pinball 4-Cade" Board Game
• "Terraforming Mars" Board Game Component Picker
• ...or just poke around my GitHub profile

Who built this? / Contact

My name is Grant Oxer, and I am looking to become a software engineer in Seattle, WA.

There are multiple ways to get in touch with me:

• LinkedIn
• GitHub

Feel free to reach out to me if you have any comments, suggestions, bug reports, or wish to buy me a beer. 😃🍻