Weak passwords are a big flaw in computer security due to a lack of "entropy"
or randomness. For example, how many times have you used the name of a pet or relative or street
in a password, or perhaps the number "1"? Not very random, is it? 😃
Worse still, if
passwords are reused between services, that increases your security risk
. This is not theoretical, this has already happened.
Fact is, humans are terrible at remembering random combinations of letters and
numbers, but we are great at remembering phrases of words. That's where Diceware comes in.
This Diceware web app is based on the proposal at http://world.std.com/~reinhold/diceware.html
wherein virtual dice are rolled 5 times, and the 5 digit number used against a lookup table of words.
4 dice rolls gives you 4 random words which are easy for a human being to remember, yet have
a high amount of entropy which makes them hard to crack.
For more information on Diceware:
For more information on the entropy in passphrases, I'd like to refer you
to this XKCD comic
Diceware is a trademark of Arnold Reinhold.
FAQ: Why not use LastPass or a similar product?
By all means, feel free to do so. LastPass is an excellent product and I highly recommend it.
That said, there's no reason that Diceware cannot be used concurrently with LastPass. Personally,
I like passwords that I can remember.
FAQ: What are some good use cases for Diceware?
- Smart TVs: Diceware is a great fit for password entry on Smart TVs, or any other environment where typing non-alphanumerics is a challenge.
- Work/Shared Computer: Let's say you're using a computer that you do not own, and want to log into a personal account. You may not want to install LastPass on that machine, so if you've generated that account's password with Diceware, it will be much easier to type in on the keyboard.
FAQ: What are some BAD use cases for Diceware?
You should not use Diceware in any cases where it is highly likely an attacker can get a copy
of your encrypted password and use high-volume cracking attempts against it.
A bad case--possibly the worst case--for using Diceware would be to secure your BitCoin wallet,
because all BitCoin nodes have a copy of the BitCoin Ledger, and an attacker
could attempt password cracking your wallet
Better still, don't use BitCoin
(Seriously, avoid crypto and NFTs
FAQ: Should I add numbers or an exclamation point to my password?
No, don't do that. The short answer is that length makes your password more secure than special characters do. But don't take it from me, take it from the man who put us through password hell
and regrets every minute of it.
The NIST has since released new password creation guidelines in a document which is rather lengthly, but summarized nicely here
"I can't believe you're sending passwords over the Internet!"
. I'm not. Passwords are generated within your browser and do not leave it (unless you copy them out yourself).
FAQ: Are these dice rolls cryptographically secure?
Yes, insofar as we're using the
and you trust that your
browser and computer have not been compromised or otherwise tampered with. Keep in mind that a not-so-theoretical attack would be for an attacker to compromise the random number generator on your computer so that
anything that is encrypted (or passkeys generated) would be suspectible to less intense cryptoanalysis.
FAQ: How secure is the Diceware approach?
If you want the absolute worst password security, go right ahead and use the same password everywhere so that when one service is cracked, an attacker can compromise every account you own. (Plz don't do that)
If you want the absolute best security, choose a different password of completely random charcters for each service.
If you want a middle of the road approach that offers medium security, Diceware is the way to go. I wrote it for people like my parents
, who might struggle with a password manager or not want to enter random characters when trying to enter their Apple password into their Apple TV, or want a password to log into their Mac that they can actually remember and not have to write down.
This article is a bit dated, but the entropy (randomness) with Diceware passwords is substantial and can present a challenge to the NSA
FAQ: Is the source available?
Yep! You can grab a copy at https://github.com/dmuth/diceware
In fact, if you are nervous about generating a password on a website (even though the password is actually
If you do want to run Diceware locally, just download the source and run a webserver in Python with
this command: python -m SimpleHTTPServer 8000
. You will then able to access DiceWare at
FAQ: Is there a way to roll the dice automatically?
Yes, there is. Append "?debug=n" to the URL to automatically roll the dice N times.
Examples: Roll the Dice 4 times.
Or 5 times.
Or even 6 times!
FAQ: Is there a way to skip the dice animation?
Yeah. Append "?skip_animation" to the URL to not display the dice animation
Examples: 4 dice rolls with no animation
FAQ: Can you tell me more about the list of words?
For rolls of 5 dice, I am now using the worldlist from the EFF
. Substantial enhancements
have been made over the original list
designed to improve usability without compromising security.
I started off using the original wordlist
but it contained a lot of symbols, punctuation, numbers, and 2 and 3 letter words. I wanted to try a different
wordlist with longer words, no non-alphabetic characters, and words more commonly used. So then I tried
list of the 1/3rd million most frequently used words
. Peter Norvig's list is still in use for when 6 or 7 dice are rolled.
FAQ: How many dice are rolled per word?
The default is 5 dice, which allows for 7,776 different words per roll. While I have some debug hooks
in the code so that you can run Diceware with 6 dice per word
7 dice per word
(for 46,655 and 279,935 possible words, respectively), the words
used become more obscure, which makes them more difficult to remember, so I'm not entirely sure that is a good thing.
But for now, the functionality is there, if there is a desire for it.
FAQ: Is Air-gapped Operation Supported?
It is now! The entire project can be downloaded and executed on a machine that is not connected to the Internet.
I was able to pull this off due in part to uploading the code to an AWS S3 Bucket and then making that
content available via CloudFront
FAQ: How secure is the webserver this app is on?
I used to host this app on my personal webserver, but didn't like that doing so increased my webserver's
S3 bucket, and the content is served up via CloudFront
an SSL certificate provided by AWS Certificate Manager
The S3 bucket has CloudTrail
enabled on it, so that I have
an audit trail of all actions performed on that bucket.
FAQ: Why did you change the wordlist?
I am always considering what words I use in the wordlist. I may opt to use shorter words in the future.
Have you built anything else?
Yep! I've built a few things you may find interesting:
Who built this? / Contact
My name is Douglas Muth
, and I am a software engineer in Philadelphia, PA.
There are several ways to get in touch with me:
Feel free to reach out to me if you have any comments, suggestions, bug reports, or wish to buy me a beer. 😃🍻