About Diceware
Weak passwords are a big flaw in computer security due to a lack of "entropy"
or randomness. For example, how many times have you used the name of a pet or relative or street
in a password, or perhaps the number "1"? Not very random, is it? :-)
Worse still, if
passwords are reused between services,
that increases your security risk. This is not theoretical,
this has already happened.
Fact is, humans are terrible at remembering random combiations of letters and
numbers, but we are great at remembering phrases of words. That's where Diceware comes in.
This Diceware web app is based on the proposal at
http://world.std.com/~reinhold/diceware.html
wherein virtual dice are roled 5 times, and the 5 digit number used against a lookup table of words.
4 dice rolls gives you 4 random words which are easy for a human being to remember, yet have
a high amount of entropy which makes them hard to crack.
For more information on Diceware:
For more information on the entropy in passphrases, I'd like to refer you
to this XKCD comic.
Diceware is a trademark of Arnold Reinhold.
FAQ: Why not use LastPass or a similar product?
By all means, feel free to do so. LastPass is an excellent product and I highly recommend it.
That said, there's no reason that Diceware cannot be used concurrently with LastPass. Personally,
I like passwords that I can remember.
"I can't believe you're sending passwords over the Internet!"
Chill. I'm not. Passwords are generated within your browser and do not leave it (unless you copy them out yourself).
FAQ: Are these dice rolls cryptographically secure?
Yes, insofar as we're using the
getRandomValues() function in Javascript,
and you trust that your
browser and computer have not been compromised or otherwise tampered with. Keep in mind that a not-so-theoretical attack
would be for an attacker to compromise the random number generator on your computer so that
anything that is encrypted (or passkeys generated) would be suspectible to less intense cryptoanalysis.
FAQ: Is the source available?
Yep! You can grab a copy at
https://github.com/dmuth/diceware
In fact, if you are nervous about generating a password on a website (even though the password is actually
generated by Javascript in your browser), I would encourage you to download the source and run it locally.
If you do want to run Diceware locally, just download the source and run a webserver in Python with
this command:
python -m SimpleHTTPServer 8000. You will then able to access DiceWare at
http://localhost:8000/.
FAQ: Is there a way to roll the dice automatically?
Yes, there is. Append "?debug=n" to the URL to automatically roll the dice N times.
Examples:
Roll the Dice 4 times.
Or 5 times.
Or even 6 times!
FAQ: Can you tell me more about the list of words?
I used to use
the original wordlist,
but it contained a lot of symbols, punctuation, numbers, and 2 and 3 letter words. I wanted to try a different
wordlist with longer words, no non-alphabetic characters, and words more commonly used. So I got
Peter Norvig's list of
the 1/3rd million most frequently used words.
FAQ: How many dice are rolled per word?
The default is 5 dice, which allows for 7,776 different words per roll. While I have some debug hooks
in the code so that you can run Diceware with
6 dice per word and
7 dice per word (for 46,655 and 279,935 possible words, respectively), the words
used become more obscure, which makes them more difficult to remember, so I'm not entirely sure that is a good thing.
But for now, the functionality is there, if there is a desire for it.
FAQ: Why did you change the wordlist?
I am always considering what words I use in the wordlist. I may opt to use shorter words in the future.
Who built this? / Contact
My name is
Douglas Muth, and I am a software engineer in Philadelphia, PA.
There are several ways to get in touch with me:
Feel free to reach out to me if you have any comments, suggestions, or bug reports.
