Diceware Passphrase Generator (EFF Wordlist)

What is Diceware?

Diceware is a method for generating strong, memorable passphrases by picking words at random from a known list. Invented in 1995 by Arnold Reinhold, the original protocol used physical dice: you rolled five dice to get a 5-digit number, looked it up in a 7,776-word list, and repeated until you had enough words. The result is a passphrase that is provably strong because the math of random selection is public and auditable.

The security of Diceware comes from one idea: if each word is chosen uniformly at random from a list of size N, it contributes exactly log2(N) bits of entropy. This number is not a score, not a heuristic, not a strength-meter guess. It is a real measurement. With the 1,296-word EFF short list used here, each word contributes ~10.34 bits, so a 6-word passphrase has about 62 bits of entropy — enough to resist any realistic brute-force attack.

Why use Diceware over random characters?

A 12-character random-character password like vG3#kL9$wP2q has ~78 bits of entropy and is completely unmemorable. Most people end up writing it down or reusing a weaker password they can remember, which defeats the purpose.

A 6-word Diceware passphrase like acorn-haven-prism-dolphin-radius-tulip has comparable entropy and is actually memorable — after a few days of use, your brain encodes it. You can recall it without a password manager, type it without errors, and share it over the phone without spelling every character. Security researchers (including the EFF, NIST, and most of the cryptography community) consistently recommend passphrases over character-random passwords for precisely this reason.

The EFF short wordlist

This tool uses the EFF short wordlist #1, published by the Electronic Frontier Foundation in 2016. It has three properties that make it better than the original Diceware list for modern use:

• 1,296 words (not 7,776) — small enough for 4 dice per word instead of 5, short enough that each word is memorable
• 3–5 characters per word — easy to type and quick to write down
• Unique 3-character prefix per word — you can type only the first three letters and autocomplete the rest, which matters for password managers and typing on phones
• No profanity, no offensive words, no homophones — safe to read aloud, safe to use in professional contexts

The list is public domain (CC BY 3.0 US). You can inspect it, audit it, and even run the EFF's generation procedure yourself. This is the whole point of Diceware: the security rests on public math, not on secret algorithms.

Entropy: the only number that matters

Entropy is the logarithm of the number of possible passwords in your system. If all passwords are equally likely, the entropy tells you exactly how hard it is to guess one. It does NOT depend on whether your password "looks random" or contains symbols — it depends only on how it was generated.

bits_of_entropy = words × log2(wordlist_size)

// EFF short list (1,296 words):
3 words → 31.0 bits  (weak)
4 words → 41.4 bits  (weak)
5 words → 51.7 bits  (reasonable)
6 words → 62.0 bits  (strong)      ← recommended baseline
7 words → 72.4 bits  (very strong)
8 words → 82.7 bits  (very strong)

An attacker with a botnet doing 1 billion guesses per second (a realistic high-end attack) would need, on average:

• 5 words: ~2 weeks
• 6 words: ~37 years
• 7 words: ~39,000 years
• 8 words: ~40 million years

Six words is the recommended minimum for valuable accounts (email, banking, password manager master). Seven is safer if the account protects other accounts (password manager master passwords should always be 7+). Eight is overkill for almost anything, but free if you can memorize it.

How this tool works

Click Regenerate to pick new words. Every word is selected using crypto.getRandomValues(), the browser's cryptographically secure random-number source. It is not Math.random(), which is not safe for security purposes.

Rejection sampling is used to eliminate a subtle bias. The naive approach, word = list[random() % N], is slightly biased toward lower indices because 2³² does not divide evenly by 1,296. This tool discards random values in the biased range and re-rolls, giving a truly uniform distribution. The difference is small (~0.0003 bits) but fixing it is free and matters for principle.

Controls:

• Word count (3–12): how many words the passphrase has. More words = more entropy but slower to type
• Separator: dash, dot, space, or underscore. Pick whatever your target system accepts — dashes work everywhere, spaces are more readable
• Capitalize each word: forces Title-Case-Each-Word. Cosmetic only — does NOT add entropy (the attacker knows the format)
• Append a 4-digit number: adds ~13.3 bits of entropy (log2(10000)). Useful when a site requires a digit; the entropy cost is real but the requirement is usually policy theater

The entropy display is honest: it assumes the attacker knows your format (word count, separator, capitalization, wordlist). That is the correct cryptographic assumption — security by obscurity is not security. Adding capitalization does not increase the shown entropy because a smart attacker would try title case as a standard permutation.

Important rules

• Never memorize a passphrase you modified by hand. "Modifying to look more secure" destroys the uniform-random property and gives you weaker entropy than a raw 4-word Diceware phrase
• Never reuse passphrases across sites. Diceware gives you strong passphrases cheaply — you can generate one per account and store them in a password manager. The master password for the manager itself is the one you memorize
• Reject a passphrase only for typing difficulty, never for looking "too predictable". The only thing that matters is the process, not the appearance. correct-horse-battery-staple is as strong as any other 4 words from the same list
• Do not use a personal wordlist (band names, pet names, hobbies). It is smaller than 1,296 words and weighted toward guessable items, collapsing your entropy by 5–20 bits
• Do not pick "lucky" words. Re-rolling until you get a passphrase you like biases the distribution and reduces entropy

When Diceware is the wrong tool

Use a password manager with random 20-character output for accounts you do not need to memorize (most accounts). Use Diceware for the handful of passwords that must live in your head: the password manager master password, full-disk encryption, and maybe a backup email recovery phrase. For everything else, long-random-character output from a password manager is more compact and equally secure.

Privacy

Passphrase generation runs entirely in your browser. The wordlist is a static file bundled with the page; the random selection uses your device's local crypto API. No network calls are made after the page loads, nothing is logged, and the passphrases you generate never touch any server.

If you are paranoid (and you should be, for a master passphrase): generate it on a device that has been offline since boot, or use physical dice with the EFF wordlist printed on paper. The tool is convenient; offline physical dice is the gold standard for generating a passphrase that will protect lifelong secrets.

Frequently asked questions

Why not use the long EFF wordlist (7,776 words)?

The long list gives 12.9 bits per word instead of 10.3, so you need fewer words for the same entropy (5 long-list words ≈ 6 short-list words). But the long list has longer, less common words, and the EFF specifically recommends the short list for memorability. For 99% of use cases, 6 short words beats 5 long words because you'll actually remember it.

Can I trust this tool?

You can trust three things: (1) crypto.getRandomValues() is implemented by browser vendors and audited by security researchers worldwide, (2) the EFF wordlist is public and you can compare it against EFF's published version, (3) the code that assembles the passphrase runs in your browser and you can read it in the DevTools Sources tab. There is no server, no API key, no account — nothing to intercept. That said, for protecting genuinely life-changing secrets, prefer offline dice generation.

Why is appending a number only +13.3 bits?

A 4-digit number has 10,000 possible values. log2(10000) ≈ 13.29. This is what uniform-random selection from 10,000 options gives you — no more, no less. Intuitively it feels like adding a number should do more because "hackers can't predict numbers," but that is not how entropy works. A 4-digit number is worth slightly more than one word from the list (10.34 bits). Adding one more word is both more secure and more memorable.

Is capitalization adding security?

No — because the attacker knows the format. A Title-Casepassphrase has the same entropy as the same words all-lowercase. Real attackers test both cases as a standard part of their brute force. Capitalization is fine for aesthetics or for meeting stupid password policies ("must contain an uppercase letter"), but it does not help security.

Does this work when I'm offline?

Yes. After the page loads once, the wordlist and all code are cached. You can disconnect, reload the page (or open it from history), and generate passphrases with no network connection. The random source crypto.getRandomValues() is provided by your operating system, not by a server.

Can I use this for cryptocurrency seed phrases?

No. Wallet seed phrases (BIP39, Electrum) use a different 256-word or 2048-word wordlist with a specific checksum scheme. They are not interchangeable with Diceware. For a real wallet seed, use the wallet's built-in generator or buy a hardware wallet.

Is my data sent anywhere?

No — the wordlist is bundled into the page, the random numbers come from window.crypto, and the passphrase is assembled in your browser. There is no API to call and no analytics on what you generate.