The Diceware Passphrase FAQ

Do I have to study all these questions and answers?

No, you do not. The instructions on the Diceware page are usually enough to enable you to make and use your passphrase. But you may find some of the information here interesting and useful. Some topics covered include login passwords, Hushmail, legal issues, CipherSaber and tables for creating random strings. There is also a very important note of caution for users of Unix, Linux and Mac OS-X as well as one for Windows users.

Table of Contents




Products advertised are not endorsed by Diceware or A G Reinhold.

What is Diceware?

Diceware is a technique that uses dice to produce random text for passphrases and other uses. The Diceware method provides an easy way to create strong passphrase that are easy to remember, for example: alger klm curry blond puck

To build your passphrase, you pick short words from a list that is indexed in a special way that makes it easy to select the words randomly using ordinary dice. See the main Diceware page for all the details.

How long should my passphrase be?

I now recommend six words for most users, or five words with one extra character added at random. (This is a change from my previous advice. I had previously written that longer Diceware might be vulnerable by about 2014. Well it's 2014. Today criminal gangs probably have access to more computing power than the NSA did when this page first appeared. So I am upping my passphrase length advice by one word.)

In their February 1996 report, "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security" a group of cryptography and computer security experts -- Matt Blaze, Whitfield Diffie, Ronald Rivest, Bruce Schneier, Tsutomo Shimomura, Eric Thompson, and Michael Weiner -- stated:

"To provide adequate protection against the most serious threats... keys used to protect data today should be at least 75 bits long. To protect information adequately for the next 20 years ... keys in newly-deployed systems should be at least 90 bits long."

A five-word Diceware passphrase has an entropy of at least 64.6 bits; six words have 77.5 bits, seven words 90.4 bits, eight words 103 bits. (Four words only provide 51.6 bits, about the same as an 8 character password made up of random ASCII characters. Both are breakable in less than a day with two dozen graphics processors.) Inserting one extra letter at random adds about 10 bits of entropy. Here is a rough idea of how much protection various lengths provide, based on updated estimates by A.K. Lenstra (See www.kelength.com). Needless to say, projections for the far future have the most uncertainty.

Pick your passphrase size based on the level of security you want.

Another way to think about passphrase length is to consider what security precautions you take to physically protect your computer and data. Here is a list of possible passphrase lengths and commensurate security precautions. The list of precautions is not intended to be complete. I am not trying to discourage anyone from using longer passphrases if they feel up to it, but the added strength without comparable physical security for your computer is of limited value.

5 words

6 words

Note: Six or more words should be on systems that use the passphrase directly to form a transmission or encryption key. Such systems include Hushmail, disk encryption (e.g. Apple's FileVault), Ciphersaber, and WiFi's WPA.

7 words

Note: However I do encourage using seven or more words on high value systems that store money directly, such as BitCoin. I do not claim to be an expert on BitCoin, but some Internet searching suggests that many BitCoin wallets do very little key stretching. That and the fact that wallets are often used to store large sums of money, make them a very attractive target. I am not saying that a 7 word Diceware passphrase will make BitCoin safe, there are other risks to consider.

8 words

For people seeking long term data protection (greater than 10 years) I would recommend adding one word to the above suggestions.

What if I want a passphrase that matches the full 128-bit security that PGP or Hushmail offers?

Use a ten-word Diceware passphrase. For memory purposes, think of it as two 5-word passphrases.

Of course, if you are worried about an organization that can break a seven word passphrase in order to read your e-mail, there are a number of other issues you should be concerned with -- such as how well you pay the team of armed guards that are protecting your computer 24 hours a day.

Should I write down my passphrase?

This is a very important question. Much advice says never write down your passphrase under any circumstances. I disagree.

I believe most people are more afraid of forgetting their own passphrase than they are of having it stolen. As a result they tend to pick passphrases that are far too weak. I actually did a small survey on this question and the results support my view. See http://world.std.com/~reinhold/passphrase.survey.asc

Also many people need multiple passphrases for different programs and needs. Remembering them all can be difficult, particularly those that are used infrequently. For most people it is better to pick strong passphrases, write them down and keep them in a very safe place. There may be legal advantages to memorizing your key, however.

What about HushMail?

HushMail.com is a new free e-mail service that lets you exchange encrypted messages with other HushMail users. The HushMail folks seem to have done their homework and produced a system that is reasonably strong, but they have stated that if need be they can be compelled modify the service they provide to an individual so as to comply with a court subpoena.

The security of Hushmail is totally dependent on the quality of the passphrases both you and your recipient select.

Pick the longest Diceware passphrase you feel comfortable remembering (at least six words). Your HushMail passphrase might look like this:

hera steam slop aim join del

Note: When you tell your friends about HushMail, tell them about Diceware.com as well. Remember, the security of any message you send depends on the recipient's passphrase, not your own.

If someone knows that I am using Diceware, can't they just use the word list to search for my passphrase?

The Diceware method is secure even if an attacker knows that you used Diceware to pick your passphrase, knows how many words are in your passphrase and knows the word list you used. The security of Diceware comes from the huge number of combinations that an attacker must search through even with that knowledge . The Diceware word list contains 7776 words, so if you pick a five-word passphrase, there are 7776 x 7776 x 7776 x 7776 x 7776 combinations. That is over 2**64 (2 to the 64 power or 2.6 X 10**19) possibilities. A six word Diceware passphrase confronts an attacker with 2**77 (2 X 10**23) combinations; seven words 2**90 (1.5 X 10**27). (Click here for a longer explaination.)

Any suggestions on how to memorize my Diceware passphrase?

Try making a mnemonic. First, make sure you know what each word means. Look it up if you have to. Then try to make up a story that uses those words. For example, here is a five word Diceware passphrase selected at random:

strop 17 aw tete karp

My dictionary defines strop as a strip of leather used to sharpen a razor. Tete, as in tete-a-tete comes from the French word for "head." So I imagine myself sharpening my razor knife seventeen times before cutting off the all wet head of a fish. It may sound hokey, but it works!

Why are there so many meaningless words like abc, du, rrrr or 456 in the Diceware list?

An important goal of Diceware is to keep passphrases short. Based on the limited survey I did, I concluded that most people simply will not accept a 50 character passphrase that they have to type in several times a day to read, send or sign e-mail. Peter Kwangjun Suk had the clever idea that short non-words like "abc" "456" or "dn" are about as easy to remember as regular words and reduce the average length of a randomly selected password.

Also, I never heard of ncaa, boise or a&p.

The original Diceware word list is slanted somewhat to American English. Alan Beale has compiled an alternative list that replaces most Americanisms and many obscure words with more recognizable alternatives. You can find it at http://world.std.com/~reinhold/beale.wordlist.asc

There are some obscure words in both lists. If you passphrase includes a word you don't know, look it up in a good dictionary. Learning the word's meaning will aid you memory and your vocabulary.

I still find the passphrases generated by Diceware hard to remember.

Tastes vary. Use your passphrase several times a day for a week. If you find you still cannot remember it, and aren't comfortable writing it down, try a different method. Follow the links on the Diceware page.

What is CipherSaber?

Powerful forces are trying to prevent you from using strong encryption. One way to stop them it to teach as many people as possible how to write strong encryption programs of their own. CipherSaber is a strong encryption method so simple that you can write the program yourself if you have elementary programming skills -- even if it is only a knowledge of Basic. CipherSaber is intended to demonstrate that banning strong cryptography is futile, but the program is also useful and a lot of fun to make. CipherSaber can use Diceware passphrases directly as a key. Find out more at http://ciphersaber.com

I forgot my passphrase. Can my data be recovered?

The first rule is not to panic. Don't erase that encrypted file. The human mind is unpredictable. You may remember the passphrase tomorrow in the shower or next week while watching a movie. If the passphrase you have written down does not work after repeated tries, copy it letter for letter starting at the right. Or ask someone else to type it in. If you have it in your head that the third word is "cot" you will type it that way even if it plainly says "cut."

Back in 1996 National Public Radio's All Things Considered program ran a great story about a woman who works for a data recovery firm as a "Data Crisis Counselor." (Click here for the Real Audio version) When her employer cannot recover data from a customer's damaged hard disk, it is her job to break the news and help the customer cope with the loss. She draws on her training in psychology and her experience counseling for a suicide hot line.

The Diceware page does not have a data crisis counselor, so I must give you the bad news straight. If you used a strong encryption program and then really lost your passphrase, you are out of luck. You data probably cannot be recovered. Sorry.

The moral is do not forget your passphrase! That's why I advise you to write it down.

To Capitalize or Not to Capitalize?

All the words in the Diceware list are in lower case. The entropy values shown above are based on the passwords as generated, with no capitalization. You can increase entropy further by capitalizing some characters, but is it worth the effort?

Randomly capitalizing the characters in your passphrase adds one bit of entropy per character, raising the entropy from (roughly) 3 bits to 4 bits per character. However each capitalization requires pressing the shift key. Since, on the average, half the characters are capitalized, the number of key strokes will be increased by a factor of 1.5 so the entropy per key stroke will be 4/1.5 = 2.67 bits. This is less than the entropy per keystroke of the original lowercase password!

You could argue that the number of added keystrokes is less than half since you can hold down the shift key during runs of capitals, but the mental effort is still there. And, of course it is much harder to remember a passphrase like "rATIO Acts PR AsTOr" than "ratio acts pr astor."

The entropy added by having just one random capital in a typical five-word passphrase is 4.4 bits (log2 of number of characters in the average 5-word passphrase). By contrast, inserting one random character somewhere in the middle of your passphrase increases its entropy by about 9.5 bits (4.4 + log2 (36)). See the instructions on the Diceware page.

If all this seems like lily-gilding, just stick with the original passphrase you got from the Diceware word list.

Exceptions: This analysis does not apply to situations like older Unix login passwords, where the length of the password is limited to 8 characters. There random capitalization is an important way to increase security. Also some systems insist that you use a mix of uppercase and lower case letters for passwords. For such systems we suggest you select one of your Diceware words at random using a dice throw and capitalize its initial letter.

Should I include spaces between words in my passphrase?

It is best to include the spaces. If you don't, your passphrase could be weaker than you expect. For example, without the spaces the six word passphrase “stray clam my aloof micro judo” is the same as the five word “stray clammy aloof micro judo”. I used to say no, because of the risk of acoustic monitoring. The space bar on many keyboards has a distinctive sound. Someone overhearing you could determine the length of each word you typed, which would aid significantly in an attack. But someone that close to you or who is bugging your workspace has many other ways to recover your passphrase. If you'd rather remove spaces, look for combinations that form a word you did not expect, like “clammy” in the example, and add a space or punctuation character just between them, e.g. “calm?my.” Or just add another word to your passphrase.

Whichever way you choose -- spaces or no spaces -- you must decide before you use your passphrase for the first time. After that, always enter your passphrase the same way.

How often should I change my passphrase?

You should change your passphrase whenever you change your PGP or Hushmail key or you think it may have been compromised. There is little advantage in changing it more often.

What should I do if I think someone else may know my passphrase?

Change your PGP or Hushmail key and your passphrase.

Can I be legally forced to reveal my passphrase or cipher key?

Note: I am not a lawyer and cannot give legal advice. See a lawyer if you need legal advice. The following is the best information I have obtained on the subject.

As far as United States law is concerned, a key that is written down can be subpoenaed if the government knows it exists. As for a key that is memorized, the government's approach has been to demand the plaintext contents of encrypted hard drives, not the key itself. In January 2012, a federal district judge in Colorado ordered a criminal defendant to decrypt her laptop's hard drive. "I find and conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer." An appeal was denied pending trial of the case. https://www.eff.org/cases/us-v-fricosu http://news.cnet.com/8301-31921_3-57364330-281/judge-americans-can-be-forced-to-decrypt-their-laptops/

On February 23, 2012, The U.S. Court of Appeals for the Eleventh Circuit issued a ruling in U.S. v. John Doe that limits the governments ability to force someone to decrypt their laptop. As I read it, the ruling says the government can only demand a hard drive be decrypted if it already has some specific knowledge about the files contained on that drive, so that the act of producing them would not constitute testimony that they exist. The court distinguished this case from Colorado case because there the government had wiretaps which mentioned data on the defendant's laptop. The appeals court decision is worth reading. It's at https://www.eff.org/sites/default/files/filenode/OpinionDoe22312.pdf

An older analysis of this question is "Self Incrimination and Cryptographic Keys" by Greg S. Sergienko, 2 RICH. J.L. & TECH. 1 (1996), http://www.urich.edu/~jolt/v2i1/sergienko.html. At one point Sergienko says:

"In Doe v. United States (Doe II), the Court recognized that "be[ing] compelled to reveal the combination to his wall safe" would be testimonial compulsion, but suggested that the key to a strongbox containing incriminating documents would not be." -- "Doe v. United States, 487 U.S. 201, 210 n.9 (1988) (Doe II). The Court had earlier suggested that the privilege could exist with respect to a combination to a safe. Couch v. United States, 409 U.S. 322, 333 & n.16 (1973) (citing United States v. Guterma, 272 F.2d 344 (2d Cir. 1959))."

Sergienko points out that the Government might grant "use immunity" to force you to produce your cryptographic key. He concludes:

"Cryptography may provide a technical fix for Supreme Court decisions allowing the invasion of one's private papers. However, the effectiveness of that fix will depend on whether the Court holds that use immunity from the compulsory production of a cryptographic key extends to the incriminating documents decrypted with the key. Logic suggests that the Court should so hold.

However, the Court's inconsistencies in this area suggest the limits of logic. The Court has consistently reconstructed Fourth and Fifth Amendment precedents to move away from historical practice. This reconstruction is in part responsible for the Court's inconsistencies. ..."

Another good older paper on the subject is

These examples deal with U.S. criminal law. In a civil case, as I unhttp://www.law.miami.edu/~froomkin/articles/clipper1.htm#ToC78derstand it, failure to provide your key could result in a judgment against you.

The laws of other countries vary greatly. Under the Regulation of Investigatory Powers Bill in England, you could face a two-year jail term for failing to provide keys. The burden of proof may be on you to prove you don't remember the passphrase. For this reason, a passphrase consisting entirely of random characters may be a better bet for UK residents. Bert-Jaap Koops maintains a valuable Crypto Law Survey page with information on cryptography laws throughout the world.

What is "salt"?

Salt is a block of non-secret data that is appended to the passphrase before it is hashed. The salt data is transmitted in the clear along with the message. Salt prevents certain attack strategies, such as a dictionary attack.

A dictionary attack involves building a list of possible passphrases along with precomputed cryptographic information that lets the attacker check that passphrase faster. Salt prevents this by requiring a separate entry for each salt value. If you use 30 bits of random salt an attacker will need a billion dictionary entries for each passphrase.

Also, without salt, an exhaustive search attack could attack a large number of target keys at once. An attacker hashes each trial passphrase and sees if it works for any of the keys she is attacking. Salt prevents this because it is unlikely that two users will have the same salt.

If you can use passphrases of arbitrary length, you can compensate for any lack of salt by adding your own. If you are using a security program that you aren't sure uses salt, pick the longest Diceware passphrase you feel comfortable remembering (preferably six words) and then add on something that is not secret but is unique to you, such as a familiar telephone number or the name of a favorite character or celebrity. So your final passphrase might look like this:

hera steam slop aim join del 5552368

Is the Diceware word list available in other languages?

Yes, see the main Diceware page for a complete list. If you know of any others that are not listed there, please let me know and I will be glad to add link to it in the Diceware page. If you would like to create a word list in some other language, check out the Diceware Kit, which contains instruction on how to build one. Let me know if you do and I will add a link to your list, if appropriate.

How can I tell if the Diceware list I download has been tampered with?

The English lists are PGP signed by Arnold Reinhold, but all you really have to do is inspect the list. All words should be in alphabetical order and there should be no duplicates. As long as all the words are different, the list will provide full security. A substantial number of duplicates would have to be introduced to materially weaken the Diceware list's security, so a quick scan of the list is all that is needed.

Why shouldn't I use a Diceware passphrase shorter than 17 characters?

One way someone might use to find your passphrase is to write a computer program that tries all combinations of characters up to some length. If your Diceware passphrase is very short, such a program would come up with you passphrase eventually. Using a passphrase that is at least 17 characters in length, including the spaces between the words, makes such an attack as difficult as searching all six word Diceware passphrases. By the way, it is very unlikely that the dice will give you a passphrase that short.

If you use a five word passphrase, it should be at least 14 characters in length, including the spaces between the words; for six words, at least 17 characters; for seven words, at least 20 characters; for eight words, at least 22 characters.

If your passphrase is too short, you could just select another word to make the short passphrase longer, but since the passphrase will consist almost entirely of two letter combinations, and therefore will be very hard to remember, I recommend selecting a new passphrase from scratch. Since such short passphrases are very rare, rejecting them does not materially reduce the entropy of the Diceware approach.

What is entropy?

Entropy is a measure of the uncertainty or randomness of a system. The concept is a difficult one to grasp fully and is confusing, even to experts. Strictly speaking, any given passphrase has an entropy of zero because it is already chosen. It is the method you use to randomly select your passphrase that has entropy. Entropy tells how hard it will be to guess the passphrase itself even if an attacker knows the method you used to select your passphrase. A passphrase is more secure if it is selected using a method that has more entropy.

Entropy is measured in bits. The outcome of a single coin toss -- "heads or tails" -- has one bit of entropy.

Is there an algorithm for calculating entropy in a passphrase?

This is an important question that unfortunately does not have an easy answer.

If a passphrase is selected from a universe of N possibilities, where each possibility is equally likely to be chosen, the entropy is log2(N). The symbol "log2" stands for the base-two logarithm. Most calculators don't have a button for base-2 logarithms, but you can use the formula:

log2(N)=log(N)/log(2).

If the passphrase is made out of M symbols, each chosen at random from a universe of N possibilities, each equally likely, the entropy is M*log2(N). For example, if you make a passphrase by choosing 10 letters at random, the entropy is 10*log2(26) = 47.0 bits.

If the passphrase is a phrase in a natural language, the problem is much more difficult. There is a famous estimate due to Shannon that the average entropy of written English is about 1.3 bits per letter. See Schneier's Applied Cryptography, 2nd Ed. p.234. However, applying this estimate to a passphrase is questionable. People are much more predictable than they think they are. In general, it is very hard to give a good estimate of entropy for a passphrase when any human judgment is involved.

If you really want security, select your passphrase in a way that is truly random. One good way to do this is to use Diceware. The entropy offered by Diceware is 12.9 bits per word (log2(7776)), so a five-word passphrase has an entropy of 64.5 bits.

Are the figures you give regarding the quality of Diceware passwords are affected by the English language redundancy?

The figures I give regarding the quality of Diceware passwords are not affected by English language redundancy.This issue confuses many people, so a longer explanation is called for.

To understand what is going on here, it would help to think first about a different way to construct a passphrase that is also valid: selecting letters at random from the ordinary English alphabet:

abcdefghijklmnopqurtuvwxyz

There are, of course, 26 letters in this alphabet. There are many ways to select random letters. I describe a few in the Diceware FAQ. Let's not worry about how for now, but assume we have selected a passphrase consisting entirely of random letters, say ten of them. How strong is this passphrase? Well, first we should count how many possible 10-letter passphrases there can be. There are 26 possibilities for the first letter, another 26 for the second letter and so on ten times. So the number of possibilities is:

26 X 26 X 26 X 26 X 26 X 26 X 26 X 26 X 26 X 26 = 141167095653376

Mathematicians refer to that as "twenty six to the tenth power." and usually write is as the number 26 with a superscript of 10. Since we don't have superscripts in e-mail, we write it here as 26**10, which is the way it is written in many computer programming languages.

Now 141167095653376 is a pretty big number, but we run into a lot of big numbers in cryptography, so to compare them we ask how many binary digits (bits, for short) it would take to represent this number. It turns out that 26**10 = 141167095653376 almost fits in 47 bits (just misses by a hair), so we would say 141167095653376 is a 47 bit number and your ten random character passphrase has a strength of 47 bits.

If you have been following discussions about PGP, you probably are aware that 47 bits is not considered very strong. You might want to have a stronger passphrase. One way to do this would be to pick more random letters. You might get an idea that since 10 letters gave us 47 bits of randomness, each letter is worth 4.7 bits. Turns out that is almost exactly correct. So, for example, a 20 random letter passphrase would give you 94 bits of security, which is pretty strong.

Suppose you don't want a passphrase that long, for some reason. One way to allow a shorter passphrase to be strong is to use more symbols in the alphabet. You might choose at random from uppercase letters, lowercase letters, the digits, and a couple of special characters:

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqurtuvwxyz0123456789=+

That is a total of 64 symbols and it turns out that gives you exactly 6 bits of randomness per symbol. So a 15 letter passphrase chosen from this list of symbols would have 90 bits of randomness.

Now suppose Susan is fluent in Chinese and wants an even shorter passphrase. She might pick at random from a list of 1000 common Chinese characters. In such a situation each character would have 10 bits of randomness, so a password with 90 bit strength would take only 9 Chinese characters. Susan might worry, however, that not all computers allow easy entry of Chinese characters. So she may use some method that represents each Chinese character as 3 English letters. Her passphrase would now be 9 X 3 = 27 letters long, but she still might find it easier to remember just 9 Chinese characters.

Note that in the three situations described above, the strength of the passphrase did not depend on keeping the alphabet or list of symbols secret. It only depended on the number of possibilities that someone who wanted to guess the passphrase had to contend with.

The same is true of Diceware. The Diceware word list contain 7776 words. You can think of the Diceware word list as a giant alphabet of 7776 symbols. If you pick seven words from the list, there are

7776 X 7776 X 7776 X 7776 X 7776 X 7776 X 7776 =

  1,719,070,799,748,422,591,028,658,176

possibilities. That works out to a little more than 90 bits of strength, or about 12.9 bits per word. Note, by the way, that each of the passphrase selection methods we just talked about above, -- random single case alphabet letters, random upper and lower lower case letters and digits, random Chinese characters and Diceware -- are equally secure, as long as the number of symbols selected give the same number of bits of strength. The only advantage of Diceware is that it is more user friendly: the passphrase is easier to remember and perhaps easier to type accurately.

So where does redundancy in English figure into all this? Let's go back to the first example, picking random letters from the alphabet. Remember we needed 20 random letters to get 94 bits of strength. Picking 20 letters at random is a tad tedious. Lets say Bob is lazy and not too up on all this crypto stuff. So instead of picking 20 letters at random, he closes his eyes, picks out a book at random from his book case, opens to a random page and stabs his finger onto some place on the page. Bob then opens his eyes and writes down the first 20 letters starting to the right of his finger. He figures that will be random enough, right? Absolutely not! There are predictable patterns in English (and all other human languages). Certain letters occur more frequently than others, for example. People who have studied this estimate that random English text has about 1.5 bits of randomness per letter. That is a lot less than the 4.7 bits for each letter selected one at a time using a random method like dice. Bob's passphrase, by this estimate, would only have 30 bits of strength.

But, you might ask, Diceware is made up mostly of English words. Doesn't that redundancy affect it at all? Well, it does. The seven word Diceware passphrase we talked about above would average about 30 letters in length (36 if you count the spaces between the words). If those letters were selected randomly, you would get 4.7 bits of strength per letter. That would work out to a lot more than the 90 bits Diceware claims for a seven word passphrase. The difference is the redundancy of English at work. However English redundancy does not affect the calculation that each Diceware word has 12.9 bits of randomness, which is based entirely how many different words there are in the Diceware list. You can rely on that number.

What are Casino dice?

Casino dice are precision made, translucent dice for use in gambling establishments. The added uniformity over toy dice is probably not significant for creating passphrases, but might be important if you want to use dice to directly generate random numbers for statistical purposes. Guy Macon writes:

"This is a bit of overkill for what your web page is about, but I did manage to get some interesting (and useless!) information on dice.

[One gambling site on the 'net once claimed that] to beat the house with crooked dice, you need at least a 0.3167% edge, so I must assume that crooked dice must have at least that much bias. Probably a lot more if the cheater wants to make money before the dice at the table are changed."

According to one serious Casino dice collector, "Dice used in board games are crudely manufactured and always favor the higher numbers (4, 5, and 6) because more material is drilled out of those sides." However the biases are not large enough to have a material effect on the entropy of your password.

But if you are concerned, here are a few sources that carry Casino dice:

A Web search will find you many more.

Crooked dice are made by adding weights, making the sides non- parallel, making one dimension smaller, making the edges asymmetrically rounded, or varying the smoothness of the sides. Here is one web site on the topic. You can buy "trick" dice at http://www.casinosupply.com/.

I have an electronic dice throw generator. Should I use it?

No! Unless you know how the electronics generate the randomness and can evaluate its strength, stick to old-fashioned real dice.

Can I use a computer to generate Diceware passphrases?

Generating truly random numbers using a computer is very tricky. The so-called random number generators that come with most programming libraries are nowhere near good enough. For most users dice is by far a better way to select passphrase words.

However if you do know what you are doing, have access to a strong method for generating random numbers (e.g. Java's secureRandom class) and really need to generate passphrases using a computer, then, to insure a uniform distribution of words, it is best to using a list of words that is a whole power of two in length. I have created such a list and it is available at: http://world.std.com/~reinhold/diceware8k.txt. There is also a version designed for the C programming language. http://world.std.com/~reinhold/diceware8k.c The C version can easily be adapted for Java and many other programming languages.

How was the Diceware8k list created?

To increase the size of the Diceware list to a power of two, I added pairs consisting of a digit and a letter. (e.g. 5t, u3, 8q, etc.) No such pairs are in the original list. If we do not include the digits 1 and 0, which are easily confused with letters, then there are 2*8*26 = 416 such pairs. The present Diceware list has 6**5 = 7776 words. Adding these letter-digit pairs creates a list of 7776 + 416 = 8,192 = 2**13 words.

Caution for users of Windows

We are not experts on Windows, but at least one source we found says password hashes are not fully protected in Windows systems. If an attacker obtains the password hash, they can test millions of trial passwords in a matter of minutes. As a result, you should use a strong passphrase or string random characters.

Windows 2000 and XP allow up to 127 character passwords. On such systems we recommend a four-word Diceware passphrase with a random special character inserted, or five words. In high security applications, add a sixth Diceware word.

Many Windows installations use a filter to require you to pick a password that is strong by Microsoft's standards. This means your password must contain characters from at least three of the following sets:

To meet these criteria and strengthen your passphrase, add a random special character selected using the special character table below, and capitalize the initial letter of one Diceware word. Use dice throws to select where to insert the special character and to select which word to capitalize.

International users should be aware of the following issue, pointed out by a reader:

"One thing that has caught me out with login passwords on Windows (don't know about other systems, I suspect there are similar problems) is that some special characters are different on the US keyboard from my usual UK keyboard. When you log in, the system assumes a US keyboard, and so you will never get your password right unless you know where the hash key (for example) is on the US keyboard. This limits the number of special characters that a non-US user can use."

Caution for users of older Unix systems

Some very old Unix-based systems allow access to the file containing the encrypted passwords (/etc/passwd).

This is a serious security flaw, since it allows an attacker to test tens of millions of trial passwords per second. See The Ambitious Amateur vs. crypt(3) by Kurt Hockenbury. Since this paper was written, in 1997, computers have become much more powerful, increasing the threat.

If you have to use such systems, your sole defense is to pick a good password. Only a completely random string of 16 characters, preferably chosen from all possible printable characters, provides strong protection against attacks, and even that may be vulnerable to an attacker with a very large budget. In particular, Unix "root" passwords should always be constructed in this way! You can use dice to select a string of 16 random characters using the tables below. If you install Unix systems frequently, we suggest you learn our method for creating a strong password using only coins and a computer keyboard. You might also consider our password generating applet, PassGen2. Select the "MMMMMMMM" template from the pull down list. You'll need to do this three times to get 16 characters.

If security is important, ask your systems administrator to switch to more modern login password system that allows longer passwords and shadows the password file. Even better is a safer authentication method like Stanford University's Secure Remote Password Protocol SRP. If you are accessing a Unix or Linux system remotely, always use SSH.

Nicknames for Special Characters

Remembering passwords containing special characters can be easier if you use nicknames for the special characters. Here are some suggestions (let me know if you have others):

`

Ding

{

Sneer

~

Twiddle

}

Smirk

!

Bang

[

Uh

@

At

]

Duh

#

Hash

|

Pole

$

Bucks

\

Back

%

Ears

:

Eyes

^

Hat

;

Wink

&

And

"

Quote

*

Star

'

My

(

Frown

<

Mouth

)

Smile

>

Nose

_

Under

,

Tear

-

Dash

.

Dot

+

Plus

?

Huh? or Hook

=

Equals

/

Slash

So for example, remembering &{^WEz_t is easier as "and sneer hat W E z under t" than "ampersand left-brace caret W E z underscore t."

Dice Tables For Generating Passwords and Random Numbers

The following are a series of table to aid you in producing random strings of characters or digits using dice. While the effort is a tad tedious, the result is random quantities of the highest quality.

How do I use dice to create random character strings?

To create passwords of maximum strength for a given number of characters, you must use all available symbols. This is especially important for most Unix systems where passwords are limited to eight characters from the 7-bit ASCII printable character set. The following set of three tables allows you to create such a password.

Roll a die three times (or roll three dice) for each character and then select one of the following three tables, based on what the first roll says:

If first roll=1 or 2             3 or 4             5 or 6
           Second Roll        Second Roll        Second Roll
         1  2  3  4  5  6   1  2  3  4  5  6   1  2  3  4  5  6

T  1     A  B  C  D  E  F   a  b  c  d  e  f   !  @  #  $  %  ^     
h  2     G  H  I  J  K  L   g  h  i  j  k  l   &  *  (  )  -  =
i  3     M  N  O  P  Q  R   m  n  o  p  q  r   +  [  ]  {  }  \  
r  4     S  T  U  V  W  X   s  t  u  v  w  x   |  `  ;  :  '  "
d  5     Y  Z  0  1  2  3   y  z  ~  _  sp     <  >  /  ?  .  ,
   6     4  5  6  7  8  9

Note: Roll all three dice again whenever you get a blank. The table entry "sp" means a space character. If you do not want spaces in your password, roll all three dice again whenever you get "sp."

Repeat this procedure eight times to get a maximal strength Unix password. Each random character adds 6.55 bits of entropy. Eight characters provides 52.4 bits of entropy.

Example:

224 T
131 C
553 }
215 Y
665 ,
334 u
326 roll again
535 /
364 x

The password is then:

TC}Y,u/x

Easy to remember? Hardly, but it is the only type of password that provides adequate security on many Unix-based systems. Only such full strength passwords should be used for root and administrative accounts or high security user accounts.

Our table of nicknames for special characters can make these paswords a little easier to remember. And if you do not have dice or these tables available, you can also create full strength passwords using a keyboard and coins, so there is no excuse for weak passwords.

If security is less of a concern for user accounts, then eight characters from the following table can be used, preferably with a random special character thrown in. Never use passwords of seven characters or less.

How do I use dice to create random strings of letters and numbers?

Just roll dice twice for each character and then use this table:

              First Roll
         1   2   3   4   5   6

S  1     A   B   C   D   E   F
e  2     G   H   I   J   K   L
c  3     M   N   O   P   Q   R
o  4     S   T   U   V   W   X
n  5     Y   Z   0   1   2   3
d  6     4   5   6   7   8   9

Each random character adds 5.17 bits of entopy. Eight characters give 41.3 bits of entropy.

If you only want letters, roll the dice again when ever you get a digit. Each random letter adds 4.7 bits of entropy.

How do I use dice to create random decimal numbers?

Roll a die twice for each digit and then use the following table:

              First Roll
         1   2   3   4   5   6

S  1     1   2   3   4   5   *
e  2     6   7   8   9   0   *
c  3     1   2   3   4   5   *
o  4     6   7   8   9   0   *
n  5     1   2   3   4   5   *
d  6     6   7   8   9   0   *

Roll the first die again when ever you get a *. Each random digit adds 3.3 bits of entropy. Note: You really don't need the table to use this method: Just roll a die until you get a number that isn't 6. Then roll the die again. If the second result is even, add 5 to the first number you got. Treat a ten as a zero. That's it.

How do I use dice to create random hexadecimal numbers?

Roll dice twice for each hex digit and then use the following table:

              First Roll
         1   2   3   4   5   6

S  1     0   1   2   3   4   5
e  2     6   7   8   9   A   B
c  3     C   D   E   F   0   1
o  4     2   3   4   5   6   7
n  5     8   9   A   B   C   D
d  6     E   F   *   *   *   *

Roll the dice again when ever you get a *. Each hex digit adds 4 bits of entropy.

One novelty store sells16-sided (d16) dice with markings in Hexadecimal:

http://www.gamestation.net/prodinfo.asp?number=QPI0001

There are also d16 dice marked 1 to 16, but you have to remember that 10 is A, 11 is B, 12 is C, 13 is D, 14 is E, 15 is F and 16 is 0. One source is:

http://store.yahoo.com/gsonline/16sideddice.html

You can make a paper d16 die using this template:

http://www.dicecollector.com/D16.PNG

You still If you are stuck without dice, you can also use four coins.

How do I use dice to create random special characters?

Some computer systems insist that a special character be included in your password. Here is how to make them happy. Roll the dice twice and then use the following table:

              First Roll
         1   2   3   4   5   6

S  1     !   @   #   $   %   ^
e  2     &   *   (   )   -   =
c  3     +   [   ]   {   }   \
o  4     |   `   ;   :   '   "
n  5     <   >   /   ?   .   ,
d  6     ~   _   3   5   7   9

If you only want special character, roll the dice again when ever you get a digit.

How do I use dice to pick a random character in a word?

You need to do this if you want to insert one random character in your passphrase for added security, as mentioned in the main Diceware page. Here is how this is done. Pick the column in the table below that corresponds to the number of characters in the chosen word. Then roll one die and look up the number you get on the left hand side of the table. Insert the random character after the selected letter. Zero means put the random character at the beginning of the word.

    Number of characters in the word
D        2   3   4   5   6
i
e  1     1   1   1   1   1
   2     2   2   2   2   2
R  3     0   3   3   3   3
o  4     1   0   4   4   4
l  5     2   *   0   5   5
l  6     0   *   *   0   6

Roll the dice again whenever you get a *.

I need to make up a passphrase right now and I don't have any dice available.

Take three different coins (e.g. a U.S. penny, nickel and dime). Shake them up in a cup and dump them on a surface and then look in the following table to get an equivalent die roll (H = Heads, T = Tails).

    Results of Coin Toss
      Penny Nickel Dime
 
D  1    T     T     T
i  2    T     T     H
e  3    T     H     T
   4    T     H     H
R  5    H     T     T
o  6    H     T     H
l  *    H     H     T
l  *    H     H     H

Flip all the coins again when ever you get a *.

One could make a Diceware table indexed by coin tosses. That was my original idea, but 5 dice tosses are a lot more practical for selecting a word than 13 coin tosses. Get some dice!

I sometimes need to make up a strong password when I don't have access to these tables.

You can use coins and a standard computer keyboard in lieu of the tables. Take four identical coins. We will use the coin values to form binary numbers, with the coin on the right or bottom being the low order bit and Heads = 1, Tails = 0.

So if the right-most coin is heads, write down a 1, if it's tails write down a zero. If the next coin is heads, write down a 2, heads zero. If the next is heads write down a 4, if heads 0. If the fourth coin is heads write down an 8, otherwise zero. Now add up the numbers you wrote down.

Follow these steps for each character:

  1. Flip two coins to select a row on the keyboard, bottom row = 0 (TT), top row =3 (HH).

  2. Flip four coins to form a number from 0 to 15. Use this number to select a key in the selected row, starting from the left and counting the first character as zero. If the number you get is more than the number of keys in the row, flip the coins again. For maximum randomness, you should select a new row as well, but the bias introduced if you use the previously selected row is not that great.

  3. Flip one coin to determine if the character will be uppercase (H) or lower case (T).

Example:

First flips: Coin on the left = H , coin on the right = T: Select row 2 (QWERTYUIOP...)

Second flips: Coins from left to right: HTTH: Select key number 9 which is "P" (remember to count "Q" as zero)

Third flip, T, Use the lowercase version: Final character is "p".


Ascii key+  ||  08d0a5d961603380e2949d682c
10 Byte IV  ||  bfe8da5c1dec3aba9725d4f689
Ron's No.4  ||  40761763d4d38935e8bd8a44bf
All u need ==== 4656a7bd7f9ae5d082a30cdfa7
CipherSaber ||  f21a918d29c5917956d0468eaf

Help support this page by buying books I worked on. They make great gifts!
Switching to a Mac For Dummies,
banging your head against a wall--it feels so good when you stop,
Green IT for Dummies,
chock full of useful information that can save the planet,
and
Internet Secrets, 2nd ed
with chapters by me on cryptography and Diceware, including the Diceware wordlist.
You can find them at your local bookstore or click on the titles to order them directly, in association with Amazon.com.


Back to the Diceware page.


Arnold G. Reinhold
e-mail: my initials (3 letters) a_t mac dot com
PGP Fingerprint:
FA C3 82 FB 05 5E 03 1A 34 04 79 EA 9E 76 7B 67
Copyright (c) 1996-2014, Arnold G. Reinhold, Cambridge, Mass. USA
The author hereby grants rights for free non-commercial electronic distribution of this entire text with attribution. All other rights reserved. Reasonable requests for other uses, such as translations, are encouraged and will be carefully and promptly considered. This information is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Elected officials from states that have adopted the UCITA are subject to additional terms and conditions.

Last updated 2014-3-28