🎯 Passphrase Generator (Diceware)

Last updated: May 23, 2026

🎲 Diceware Passphrase Generator

Cryptographically secure β€” runs entirely in your browser, nothing sent to any server

5
Capitalize each word
Append a random 2-digit number
Show dice roll values

Why Your Password Manager's Generator Might Not Be Enough β€” And What Diceware Gets Right

Most people treat password security like buying car insurance: they know they need it, they grab whatever is cheapest and most convenient, and they do not think about it again until something goes wrong. Password managers defaulting to random strings like xQ!7kP@3mZ feel secure because they look chaotic β€” but "looks chaotic" and "is mathematically secure and memorable" are two very different things. Diceware sits at the intersection of both, and once you understand why it works, you will never look at passphrases the same way.

1. The Math Behind Diceware Is Surprisingly Simple β€” And That's the Point

Diceware was invented by Arnold Reinhold in 1995. The premise is almost embarrassingly straightforward: roll five six-sided dice, map the result to a numbered word on a published list, and repeat. The original EFF Large Wordlist contains exactly 7,776 words β€” which is not a coincidence. That is 6 to the power of 5. Every possible five-dice combination maps to exactly one word, with no gaps and no overlap.

Each word you pick this way adds roughly 12.9 bits of entropy to your passphrase. That number comes from logβ‚‚(7776). A five-word passphrase gives you about 64.6 bits β€” enough to defeat most offline attack scenarios. Six words pushes past 77 bits, and seven words crosses 90 bits, entering territory that would take longer to brute-force than the current age of the universe even with dedicated hardware running at a trillion guesses per second.

Compare that to a random 10-character string using uppercase, lowercase, digits and symbols: you get roughly 66 bits. A 7-word Diceware passphrase beats a complex 10-character random password while being dramatically easier to type, memorize, and recall under stress.

2. The "Memorable" Part Is Not a Weakness β€” It Is a Feature

Security folk have a saying: a password you cannot remember is not a secure password, it is a disabled account waiting to happen. People who cannot recall their credentials do one of three things β€” they reset the password to something weaker, they write it on a sticky note, or they reuse a password they already know. Every one of those outcomes makes you less secure than if you had chosen a strong, memorable passphrase from the start.

Diceware passphrases exploit a quirk of human cognition called chunking. Our brains are exceptionally poor at remembering random characters in sequence, but remarkably good at building narrative. "Marble chimney foxtrot basin crisp" is five disconnected words, yet your brain will almost automatically construct a mental image β€” a marble chimney somewhere near a fox, maybe, with a crispy basin underneath. That bizarre mental image is now a memory anchor, and neuroscience research on the method of loci confirms this kind of vivid, unusual imagery dramatically improves recall.

3. "But Surely Attackers Know About Diceware?" β€” Here's Why That Does Not Matter

This is the most common misconception beginners raise. If an attacker knows you are using a Diceware wordlist, does that not reduce the search space? Technically yes β€” but that is already baked into the entropy calculation. The 12.9 bits per word figure assumes the attacker knows the exact wordlist and that you picked from it uniformly at random. The security comes from the size of the search space, not from hiding the method.

An attacker who knows you used the EFF Large Wordlist still faces 7776⁡ possible five-word combinations, which is approximately 28 quadrillion. At a billion guesses per second β€” a very generous assumption for most attack scenarios β€” that search would take around 900 years. Upgrade to six words and the number becomes irrelevant within any practical timeframe.

4. Why "Cryptographically Secure" Randomness Matters More Than You Think

The critical requirement for Diceware is genuine randomness. Physical dice are excellent for this because they exploit thermal noise and physical chaos β€” true entropy from the real world. Browser-based generators must substitute crypto.getRandomValues(), which draws from the operating system's entropy pool seeded by hardware events like keystrokes, mouse movement, and disk timing.

What you must never do is use Math.random(). JavaScript's built-in random function is a pseudorandom number generator β€” it produces a deterministic sequence from a seed value. On some platforms, that seed is time-based and predictable. A serious attacker who knows when you generated your passphrase could potentially reconstruct the seed and enumerate the small number of possibilities. The crypto.getRandomValues() API eliminates this attack vector entirely.

5. The EFF Wordlist Was Designed to Avoid Embarrassment β€” And That Matters

When the Electronic Frontier Foundation published their updated Diceware wordlist in 2016, they made several deliberate design choices that the original 1995 list did not consider. Words that are offensive, brand names, or culturally problematic were removed. Homophones β€” words that sound the same but are spelled differently, like "there" and "their" β€” were culled to reduce confusion when reading a passphrase aloud or over the phone.

They also removed words shorter than three characters and longer than nine, striking a balance between typability and memorability. The result is a list where every word feels like something a real person might say, which makes the passphrases feel more coherent and easier to internalize. This was not a cosmetic decision β€” it directly affects how well users memorize and retain their passphrases over time.

6. When to Use Passphrases vs. When to Use Random Strings

Diceware passphrases are not universally superior to random character strings β€” context matters. For passwords you will type frequently from memory (a laptop login, a password manager master password, a frequently used account), a Diceware passphrase wins on every metric: security, memorability, typability, and resistance to shoulder-surfing.

For passwords stored entirely in a password manager and never typed manually, a 20-character random string with full character diversity might offer marginally higher entropy per character β€” though that advantage matters only in edge cases where character count is severely limited. The moment you factor in human behavior, Diceware's advantage in memorability tips the balance back in its favor for most real-world usage.

7. The Separator Character Changes More Than You Think

Choosing a separator between your Diceware words is a small but non-trivial decision. A space creates the most natural phrase ("correct horse battery staple") and is easiest to type on mobile devices. A hyphen makes the phrase look like a compound word and avoids issues with systems that reject spaces in passwords. Using no separator ("correcthorsebatterystaple") tests your memory harder but produces shorter total character counts.

From a pure entropy standpoint, the separator choice does not change the underlying security of the word selection β€” the bits come from the word choices themselves. However, some attackers add separator patterns to their dictionary attacks, so a truly random separator (or varying the case of words) adds a small amount of additional unpredictability without adding any memorization burden.

8. Five Words: The Sweet Spot for Most People's Security Needs

Security researchers including Micah Lee at The Intercept and the team at EFF generally recommend five to seven words for different use cases. Five words (roughly 64 bits of entropy) is appropriate for account passwords where rate-limiting protects against online attacks. Six words (around 77 bits) is appropriate for local device encryption where offline cracking is possible. Seven or more words is the territory of master passwords for password managers, where a compromised password vault could be attacked at full hardware speed.

The entropy jump from four words to five is not linear in practical security terms β€” it is the difference between a passphrase that falls to a targeted attack within a year and one that remains safe for a human lifetime. Every additional word multiplies the attacker's required work by 7,776. That multiplication effect is why Diceware's simplicity maps so cleanly onto real-world security requirements: you just count words.

There is something quietly elegant about a security system that has survived three decades largely unchanged because its core mathematics are so sound. In a field full of complexity and obsolescence, Diceware is the rare tool that gets stronger the more you understand it.

FAQ

How many words do I need for a secure Diceware passphrase?
Five words (about 64.6 bits of entropy) is the minimum recommended for most online accounts, where rate-limiting protects you from rapid guessing. Six words (~77 bits) is better for local device encryption, and seven or more words is the gold standard for master passwords where an attacker might get offline access to a stolen vault. Each additional word multiplies the number of possible passphrases by 7,776.
Is this generator truly random? How is it different from Math.random()?
This generator uses the browser's crypto.getRandomValues() API, which draws entropy from the operating system's hardware-seeded random pool β€” the same source used by cryptographic software. JavaScript's Math.random() is a pseudorandom generator that can be seeded from predictable values like the current time, making it unsuitable for security applications. crypto.getRandomValues() produces statistically indistinguishable-from-random output that is not vulnerable to seed prediction attacks.
What is entropy in bits, and why does it matter for passwords?
Entropy measures unpredictability. One bit of entropy means an attacker faces a 50/50 coin flip; each additional bit doubles the search space. At 64 bits, an attacker who can try 1 trillion guesses per second would still need around 18 years to exhaust all possibilities. At 77 bits (six words), that figure jumps to over 100,000 years. The EFF Diceware wordlist gives exactly log2(7776) β‰ˆ 12.925 bits per word, so you can calculate total entropy by multiplying word count by 12.925.
If an attacker knows I used a Diceware wordlist, does that make my passphrase weaker?
No β€” and this is a common misunderstanding. The entropy calculation already assumes the attacker knows the exact wordlist and method. The security comes purely from the size of the search space: with a 7,776-word list, a five-word passphrase has about 28 quadrillion possible combinations. Kerckhoffs's principle in cryptography holds that a secure system should remain secure even when everything about it except the key (or in this case, the word selection) is public knowledge. Diceware was designed with this in mind.
Should I add numbers or symbols to my Diceware passphrase?
Adding a random two-digit number appends about 6.5 bits of entropy (log2(90) for numbers 10–99), which is a meaningful boost. However, predictable transformations like substituting '3' for 'e' or adding '1!' at the end add almost no real entropy because attackers already include these patterns in their rules-based attacks. If you want to strengthen a passphrase, the most effective approach is always to add another full word β€” each one contributes nearly 13 bits of genuine entropy from the wordlist.
Why does my bank or some websites reject passphrases even though they are secure?
Many websites enforce password rules designed around old NIST guidelines that equated complexity with security β€” requiring uppercase, symbols, and numbers while imposing short maximum lengths. A Diceware passphrase like 'Marble Foxtrot Basin Crisp Hollow' scores poorly on these metrics despite being vastly more secure than 'P@ss1word!'. NIST's updated guidelines (SP 800-63B, revised 2017 and 2024) now explicitly recommend long passphrases over complex short passwords, but website adoption of these guidelines has been slow. In such cases, use a Diceware passphrase as your password manager master password and let the manager generate site-specific passwords for non-compliant services.