The Diceware Passphrase Page

What Is A Passphrase?
-
Passphrases are used with Wi-Fi wireless network security systems such as WPA and WPA2, when used in personal shared key (PSK) mode. The security of both systems depends on the strength of the passphrase you chose.
-
Popular password manager programs require a master password or passphrase to protect the data they store.
-
Passphrases are used with disk encryption programs such as PGPdisk and Apple’s FileVault. Many organizations require disk encryption on laptops to meet regulatory requirements for protecting sensitive information.
-
The latest versions of most popular operating systems, including WindowsXP and Mac OS-X, let you use longer passphrases for log-on identification, instead of only accepting short passwords.
-
New digital currencies such as BitCoin use passphrases to protect the “coins” from misappropriation.
-
Using a short passphrase as an answer to a required “security question” (like “What city were you born in?”) protects you against attempts to discover your answer by researching your online data.
-
Known only to you
-
Long enough to be secure
-
Hard to guess — even by someone who knows you well
-
Easy for you to remember
-
Easy for you to type accurately
What Is Diceware?
16655 clause
16656 claw
16661 clay
16662 clean
16663 clear
16664 cleat
16665 cleft
16666 clerk
21111 cliche
21112 click
21113 cliff
21114 climb
21115 clime
21116 cling
21121 clink
21122 clint
21123 clio
21124 clip
21125 clive
21126 cloak
21131 clock
Using Diceware
-
Download the complete Diceware list or the alternative Beale list and save it on your computer. Print it out if you like. Then return to this page.
-
Decide how many words you want in your passphrase. A five word passphrase provides a level of security much higher than the simple passwords most people use. We recommend a minimum of six words for use with GPG, wireless security and file encryption programs. A seven or eight word pass phrase is recommended for high value uses such as BitCoin, and the like. For more information, see the Diceware FAQ.
-
Now roll the dice and write down the results on a slip of paper. Write the numbers in groups of five. Make as many of these five-digit groups as you want words in your passphrase. You can roll one die five times or roll five dice once, or any combination in between. If you do roll several dice at a time, read the dice from left to right.
-
Look up each five digit number in the Diceware list and find the word next to it. For example, 21124 means your next passphrase word would be “clip” (see the excerpt from the list, above).
-
When you are done, the words that you have found are your new passphrase. Memorize them and then either destroy the scrap of paper or keep it in a really safe place. That’s all there is to it!
Example
1, 6, 6, 6, 5, 1, 5, 6, 5, 3, 5, 6, 3, 2, 2, 3, 5, 6,
1, 6, 6, 5, 2, 2, 4, 6, 4, 3, 2, and 6.
1 6 6 6 5
1 5 6 5 3
5 6 3 2 2
3 5 6 1 6
6 5 2 2 4
6 4 3 2 6
1 6 6 6 5 cleft
1 5 6 5 3 cam
5 6 3 2 2 synod
3 5 6 1 6 lacy
6 5 2 2 4 yr
6 4 3 2 6 wok
cleft cam synod lacy yr wok
Some Tips
-
For maximum security make sure you are alone and close the curtains. Write on a hard surface — not on a pad of paper. After you memorize your passphrase, burn your notes, pulverize the ashes and flush them down the toilet.
-
If you are using a passphrase for file encryption, we recommend you keep a copy written down in a safe place. If you don’t and you forget your passphrase, your files are lost forever.
-
If you want to work from a printed copy of the word list, download the the Diceware word list in PDF format or PostScript format. These files are formatted with 4 columns and 54 lines per page. You will get a neat, 36 page printout in which the first two dice throws are the same for each page. This makes look-ups especially easy. If you prefer a more compact printout, here is an 11-page version from Patrick Feisthammel. Be careful not to mark the printed copy in any way while you are selecting words. You can also find the word list as an Appendix to Internet Secrets.
-
If you need to make up passphrases often, get a shoe box or a food storage box about the same size. Put five dice in the box, shake them up vigorously — at least ten hard shakes — and then tip the box to let all the dice slide down to one edge. Now open the box, read the dice from left to right, or front to back if a few line up. Then just look up the corresponding word list entry. Repeat this process until you have enough words for your passphrase.
-
We recommend that you use the passphrase exactly as generated. If you want a stronger passphrase, select an additional word using the diceware method.
-
Because some words on the diceware list are two characters or less, you can get a very short passphrase. If your passphrase, including the spaces between the words, is less than 17 characters long, we recommend that you start over and create a new passphrase. You should also start over if your passphrase is a recognizable English sentence or phrase. (These situations are extremely rare.)
-
See the Diceware FAQ for suggestions on how to memorize your passphrase.
Optional stuff you don’t really need to know
-
For extra security without adding another word, insert one special character or digit chosen at random into your passphrase. Here is how to do this securely: Roll one die to choose a word in your passphrase, roll again to choose a letter in that word. Roll a third and fourth time to pick the added character from the following table:
Third Roll
1 2 3 4 5 6
F 1 ~ ! # $ % ^
o 2 & * ( ) - =
u 3 + [ ] { }
r 4 : ; " '
t 5 ? / 0 1 2 3
h 6 4 5 6 7 8 9
-
For the technically inclined, each word in your Diceware passphrase yields 12.9 bits of entropy, the way passphrase security is measured. A five word Diceware passphrase would have an entropy of at least 64.6 bits; six words would have 77.5 bits, seven words 90.4 bits, eight words 103.2 bits. Inserting a letter at random adds about 10 bits of entropy. All this assumes, of course, that you actually keep your passphrase a secret.
-
You’ll find a lot more information you don’t really need to know in the Diceware FAQ.
Why Diceware?
-
Easy to learn and use
-
Very secure
-
Totally prescriptive – we tell you exactly what to do at each step of the process
-
Transparent – there are no “trust me”s
-
Free – there is no computer software or hardware required, just the Diceware list and some ordinary dice
“I just wanted to relate a personal story about how hard it is to convince a novice how important it is to select a secure password, and get them to understand what constitutes a secure password. I am an old-timer at both the Internet and security issues. My sister, however, is brand new to it having just opened an Internet account. She lives in [the mid-west] while I live [on the west coast]. As a result, we exchange quite a bit of very personal email.
Recently, she wanted to give her Internet password to her husband so that he could get on line. However, she still wanted to be able to exchange private messages with me that he would not be able to read. I, of course, introduced her to PGP.
I gave her the usual lecture about how important it is to select a password that nobody else can easily guess, and that the ideal password would be some obscure and nonsense word that would have meaning only to her. I told her all about not selecting birthdays, anniversaries, names, and the like. I didn’t suggest a random combination of letters and numbers because we were not after world class security, we just wanted to keep her husband out of our private letters. So, after she selected her PGP password, I decided to give it a try at cracking it. The VERY FIRST password I tried worked! She was totally surprised at how easily I had found it, but it was a word that anyone knowing her would have access to. So, after giving her some more tips on good password selection, I let her try again. This time, it took me only 3 attempts before I found the right word. Finally, she gave up and let me pick a password for her.”
Links And References
Advances in Cryptology: A Report on CRYPTO 81, Allen Gersho, editor, volume 0, U.C. Santa Barbara Dept. of Elec. and Computer Eng., Santa Barbara, 1982. Pages 81–81. Also in Computers & Security, Vol. 1. No. 1, 1982, North Holland Press.
Diceware in Other Languages
radiar balca imaginar insula sinitizin dar
distel ist landen kammer puffen
hirt neŭtr livre etern krank esoter
multa h64 quien enero tubo
olli kukot hoveli hintaa airoja
ileus humide diktat sbire peotte
casi botole stadi maglia venivo
iatoto okaoka aacrewa takawa unene takoru
ijler 100 leperd akolei kolkje
plewka szpieg raban pruski ibi
ÍËðýÒý Ò¸Ïãý âÂðÒÚý ÊÛõÎûÈ ÁÂâÓÚý
ark altan rodel lamm kyot
derz permi turba um beniz
For more information on PGP see:

Ascii key+ || 08d0a5d961603380e2949d682c |
Help support this page by buying books I worked on. They make great gifts!
Switching to a Mac For Dummies,
banging your head against a wall–it feels so good when you stop,
Green IT for Dummies,
chock full of useful information that can save the planet,
and
Internet Secrets, 2nd ed
with chapters by me on cryptography and Diceware, including the Diceware wordlist.
You can find them at your local bookstore or click on the titles to order them directly, in association with Amazon.com.
Arnold G. Reinhold
e-mail: my initials (3 letters) a t mac dot com
PGP Fingerprint:
FA C3 82 FB 05 5E 03 1A 34 04 79 EA 9E 76 7B 67