Creating Memorable Yet Strong Passwords With Diceware

Most people struggle with passwords. They're either too weak and easy to remember, or too strong and impossible to recall. The Diceware method solves this problem by creating passwords that are both secure and memorable.

Diceware uses dice to randomly select words from a wordlist, creating passphrases that are easy to remember but hard to guess. It's been used by security experts for decades and is recommended by organizations like the Electronic Frontier Foundation (EFF).

What Is Diceware?

Diceware is a method for creating secure passphrases using physical dice and a wordlist. The process is simple:

1. Roll a die five times
2. Write down the five numbers (e.g., 1-4-2-6-3)
3. Look up that number combination in a wordlist
4. Write down the corresponding word
5. Repeat for each word in your passphrase

The result is a passphrase made of randomly selected words, like "correct horse battery staple" or "tiger velvet coffee window". These passphrases are:

• Secure: Random selection ensures high entropy
• Memorable: Words are easier to remember than random characters
• Typeable: Words are easier to type than complex passwords

Why Diceware Works

Diceware creates secure passphrases through entropy—the measure of unpredictability. Here's how it works:

A standard Diceware wordlist contains 7,776 words (6^5, since you roll five dice). Each word adds about 12.9 bits of entropy. A five-word passphrase has about 64.5 bits of entropy—equivalent to a 10-character random password using uppercase, lowercase, numbers, and symbols.

But here's the key: Diceware passphrases are memorable. You can remember "correct horse battery staple" much more easily than "Xk9#mP2$vL7@nQ4!", even though they have similar entropy.

This makes Diceware ideal for passwords you need to remember, like your password manager's master password or your computer's login password.

How to Use Diceware

Step 1: Get a Wordlist

The most common wordlist is the EFF Long Wordlist, which contains 7,776 words. You can download it from the Electronic Frontier Foundation's website. The wordlist is designed to be:

• Easy to remember
• Distinctive (no similar-sounding words)
• Appropriate for all audiences

Step 2: Roll the Dice

Use physical dice (not digital dice or random number generators). Physical dice ensure true randomness. Roll five dice and write down the numbers.

For example, if you roll 1-4-2-6-3, you'd look up "14263" in the wordlist.

Step 3: Look Up the Word

Find the number combination in your wordlist and write down the corresponding word. Repeat this process for each word in your passphrase.

Step 4: Choose Length

The number of words determines security:

• 4 words: ~51 bits of entropy (good for low-security accounts)
• 5 words: ~64 bits of entropy (good for most accounts)
• 6 words: ~77 bits of entropy (excellent for high-security accounts)

For most purposes, 5-6 words is recommended.

Digital Alternatives

While traditional Diceware uses physical dice, you can use digital tools that generate Diceware-style passphrases using cryptographically secure random number generators. These tools:

• Use the same wordlists as physical Diceware
• Generate truly random selections
• Are faster and more convenient than rolling dice
• Maintain the same security properties

Many password generators (including ours) offer Diceware/EFF wordlist options. These are perfect for creating memorable master passwords or passphrases you need to remember.

Important: If you use a digital generator, make sure it uses cryptographically secure randomness, not pseudo-random number generators. Look for generators that use Web Crypto API or similar secure sources.

Best Practices

Use the Right Wordlist

Stick with well-established wordlists like the EFF Long Wordlist. These have been carefully designed and tested. Don't create your own wordlist or use untested alternatives.

Don't Modify Words

Use the words exactly as they appear in the wordlist. Don't capitalize them, add numbers, or make substitutions. These modifications don't significantly increase security and can make the passphrase harder to remember.

Use Enough Words

For important accounts, use at least 5 words. For master passwords or high-security accounts, use 6 words. Shorter passphrases are easier to remember but less secure.

Keep It Random

Don't try to create a "story" or meaningful phrase. The randomness is what makes it secure. "correct horse battery staple" is secure because it's random, not because it makes sense.

Don't Reuse Passphrases

Even though Diceware passphrases are memorable, you should still use a unique one for each account. Consider using Diceware for your password manager's master password, then let the password manager handle unique passwords for everything else.

When to Use Diceware

Diceware is ideal for:

• Master passwords: Your password manager's master password
• Device passwords: Computer, phone, or tablet login passwords
• Important accounts: Email, banking, or other critical accounts where you need to remember the password
• Backup codes: Recovery codes or backup authentication methods

For most other accounts, use a password manager with randomly generated passwords. You don't need to remember those passwords, so there's no benefit to using Diceware.

Common Mistakes

Conclusion

Diceware is a time-tested method for creating secure, memorable passphrases. By using random word selection from a carefully designed wordlist, you can create passwords that are both strong and easy to remember.

While Diceware isn't the right solution for every password (use a password manager for most accounts), it's perfect for passwords you need to remember, like your master password or device login.

The key is to use enough words (5-6 for most purposes), keep the selection truly random, and use the words exactly as they appear in the wordlist. Follow these principles, and you'll have passphrases that are both secure and memorable.