Creating strong passphrases using Diceware

Last year I wrote an article regarding a method you can use to create strong, easy to remember passwords. Diceware is an alternative method used to create strong, easy to remember passphrases. A full explanation about diceware passphrases can be found here.

Diceware vs Random Characters

A diceware passphrase is created using the randomness of dice rolls to pick words from a wordlist. The list used for generating passwords has a total of 7776 words.

This gives a total of 28,430,288,029,929,701,376 passwords for a 5 word lowercase diceware passphrase or 221,073,919,720,733,357,899,776 for a 6 word lowercase diceware passphrase.

It is recommended to have 5 or 6 words which would be between 30-36 dice rolls. This probably isn’t a technique you would use for all your online accounts, due to time it takes to generate, but it allows you to create a secure passphrase for a password manager, a separate passphrase for your email, and a separate passphrase for your online banking.

A password manager can be used to generate random 20 character passwords for your online accounts. The password manager remembers these difficult passwords for you.

In comparison, a 12 character randomly generated password (using uppercase, lowercase, symbols, and numbers) would give you 475,920,314,814,253,376,475,136 (or 2.15 times the combinations to try for a 6 word diceware passphrase) but would be near impossible to remember.

Creating the Passphrase

To create the diceware passphrase you roll the dice 5 times. For example our 5 rolls gives us 6, 4, 6, 4, 3.

Looking for that number in the word list we are given ‘yamaha’.

We do this 5 more times to bring us to a total of 6 words.

64643    yamaha
23643    dwelt
41461    man
12423    arden
55545    stony
45523    pier

Giving us the passphrase: yamaha dwelt man arden stony pier

After repeating it a few times you will find yourself remembering it. If you are worried you are going to forget it, write it down. If it is stored securely away from your PC (where you store other valuables at home), and not written on a sticky note attached to your laptop, or saved on your devices as a Note, it should be safe.

To appease some password forms, you may need to add uppercase, symbols, and numbers. Do this randomly (use the dice to decide which word is uppercase, or where to insert numbers/symbols)

I.e. Roll a dice and get a 3 could mean to make the third word uppercase. Roll the dice a few more times to decide on numbers, and symbols.

Eventually you will end up with something like: yamaha.dwelt.2MAN.arden.stony.pier

Compare this to a 12 character random password that you are probably not going to remember anytime soon: K=tC@6OQ_\lJ

Why does this Matter?

Simple passwords, such as names of pets, significant others, property, or single dictionary words are just not strong enough. As technology gets more powerful, so does the password cracking capability.

In a data breach, simple passwords are cracked first, many being cracked in a matter of seconds. If you are using a simple password, your account may be the first that attacker could access. If the same password is used over multiple services, then the attacker can easily access those accounts as well.

Using passphrases, unique passwords generated by a password manager, and two-factor authentication, is the best way to ensure your accounts are protected from cybercriminals.