Guide to stronger passwords – Part 3 (Diceware)

Tips & tricks
4 mins
Dice with locks on it, representing Diceware as a password generator.

This is Part 3 of our stronger password series. For the other parts, click below:

Part 1 (Two-factor authentication)
Part 2 (Password managers)

Generate secure and memorable passwords with Diceware

If you’ve read Part 1 and Part 2 of our stronger password series, you know how to secure your accounts with two-factor authentication and use a password manager to create and store passwords so you don’t have to remember them yourself.

In the final part of the series, we’ll talk about Diceware, a simple technique to generate strong passwords for when you do have to remember them yourself.

Diceware is a great way to generate memorable, random, unique, and long passwords. It’s a great strategy for your most precious passwords, like your primary password to your password manager, or any other passwords you might want to store entirely in your head (such as the password to your computer, your backups, your encryption key, or a brainwallet for your Bitcoin).

How to use Diceware to generate a memorable passphrase

To generate a password using Diceware, you just need a regular six-sided die and some pen and paper.

Important: Before you do anything, save a copy of this Diceware list to your computer. This is what you will use to generate your Diceware password.

Make sure that you are alone and that no cameras are nearby. For maximum protection, disconnect your computer from the internet (after you save the Diceware list!) and cover your webcam.

To start, roll the die five times. Record the number from each roll with the pen and paper. You will end up with a five-digit number. We got 21112.

Now search on the Diceware list for the five digit number you just created. Write down the word the number corresponds to (in our case, it is “click”). This word by itself is not a good password, as it would only take about a thousandth of a second to crack. So repeat the dice rolling process at least four times.

After five sets of five rolls, we ended up with 21112 44564 62246 64454 31312.

This corresponds to the password “click oz twx writhe glenn.”

It would take a single computer about 6 hundred billion trillion centuries to crack this by brute force. This is an unimaginably long time. (For comparison, the universe is only about 14 billion years old.)

If you had a billion computers, each one a billion times stronger than the computers available today, you would still not be able to crack this password in a human lifetime.

Memorize this password and then shred the piece of paper on which you recorded your dice results. Ideally, you should burn it.

To remember your new Diceware password, you will need to use it regularly. Especially while it is still fresh in your memory. Log in frequently to the service you created this password for, and set yourself a reminder to practice it. Remember to destroy any physical copies you make!

Eventually, the password will become muscle memory, and typing it will be as natural as drinking or eating.

What is a passphrase?

The Diceware method described above produces a password made up of words (or pseudo-words), which is sometimes called a passphrase. The webcomic xkcd made them famous with the following example:

A webcomic from xkcd

Passphrases like “correct horse battery staple” generally make good passwords* because they tend to be long and easy to remember, but with some important caveats:

  • The words must actually be random. It might be tempting to make the passphrase make logical or grammatical sense, like “i enjoy blueberry pancakes” or “show me the money”, but this only makes your passphrase easier to guess. If your passphrase is likely to have ever been uttered in a movie, for instance, it’s probably on a list of cracked passwords somewhere, no matter how long it is.
  • If you choose the words yourself, you are probably choosing from a shorter list of common words (~3,000) than exist in the entire English language (~170,000). This can make your passphrase easier to guess.
  • Even if you attempt to be as random as possible in choosing the words in your own passphrase, you may unconsciously be stringing concepts together from pop culture or your personal life. The human brain just isn’t designed to be random!

That’s why Diceware is such a powerful tool. It uses a real-life random number generator (dice) to implant a totally new, unique, password straight into your brain with zero paper trail.

*Needless to say, do not use the exact phrase “correct horse battery staple” as your own passphrase! For that matter, don’t use our example “click oz twx writhe glenn” either as it has now been publicly published on the internet.

Diceware + password manager + 2FA = a winning strategy

You can use Diceware to generate a strong, memorable password for your secure password manager. Then use your password manager to generate and store all your other account passwords. Add extra security to your most private accounts with two-factor authentication (2FA).

No password strategy is more secure than this.

Phone protected by ExpressVPN.
Take back control of your privacy

30-day money-back guarantee

A phone with a padlock.
Enjoy a safer online experience with powerful privacy protection
What is a VPN?
Lexie is the blog's resident tech expert and gets excited about empowerment through technology, space travel, and pancakes with blueberries.