Diceware: how five dice pick a better password than you do

Published on by David Carrero

Think of a random word. Right now, the first one that comes to mind.

Whatever it was, it wasn’t random. It was one of your words: something you read this week, an object sitting in front of you, the letter your name starts with. Ask a person for randomness and what you get back is autobiography. And autobiography can be guessed.

That’s the whole password problem in one line. It isn’t that people are lazy — they are — it’s that we are incapable of generating randomness. We favour certain letters, we avoid repeats because they “don’t look random”, we alternate vowels and consonants without noticing, and when someone asks for a number we reach for the ones lying around: dates, ages, digits that mean something. An attacker doesn’t need to know who you are to exploit that. Knowing you’re human is enough.

One engineer, five dice and a list

In 1995, Arnold G. Reinhold published a method on his website and called it Diceware. The idea is so simple it’s almost annoying to have to spell out: if the problem is that humans can’t choose at random, take the choosing away from the human.

The whole procedure fits in three lines:

  1. Roll five dice and write the results down in order. Say you get 4-2-6-1-3.
  2. Look up 42613 on a list.
  3. That’s your word. Roll again for the next one.

The list has 7,776 entries, and that number isn’t arbitrary: it’s 6⁵, every possible outcome of five dice. Each combination — from 11111 to 66666 — points at a different entry, with none left out and none used twice. The original list mixes short words with the odd syllable, digit and stray symbol, precisely because finding 7,776 good words is harder than it sounds.

The list isn’t the point. The dice are.

Why 12.9 bits are 12.9 bits

Here’s the part almost nobody gets, and it’s the only one that matters.

The entropy of a Diceware word is log₂(7,776) = 12.9 bits. That’s arithmetic, not security: there are 7,776 outcomes and every one of them is exactly as likely as the rest.

Compare that with what happens when you do the picking. Ask me for a word from a 7,776-word dictionary and the sum looks identical — 7,776 options again — but it isn’t, because you won’t pick them with equal probability. You’ll pick common words, words you like, words you saw today. That dictionary is worth 12.9 bits on paper and a good deal less inside your head, and the attacker sorts his list by frequency and tries the popular ones first. Entropy isn’t how many options exist: it’s how many are left once you subtract what the attacker knows about your taste.

Dice have no taste. They have no memory either: a die doesn’t know the last roll came up forest, so it won’t avoid repeating itself, won’t reach for variety, and won’t feel awkward about two words starting with the same letter. That’s why Diceware’s 12.9 bits are 12.9 real bits, and not a hopeful number off a brochure.

And that’s why the sums work out upwards. Every word adds:

  • Five words: about 64 bits.
  • Six words: about 77 bits.
  • Seven words: about 90 bits.

It’s clean addition, not magic multiplication, because each roll is independent of the others. Reinhold recommends never going below five words, and six or more for anything that genuinely matters. You can watch the effect in the generator: adding a word always adds the same amount, and that “always” is the entire invention.

The secret isn’t the list

The objection writes itself: if the list is public, doesn’t that make it easier to break?

No, and it’s worth saying slowly. The 12.9 bits already assume the attacker has the list. They also assume he knows you use Diceware, knows how many words your phrase has, and knows the order you type them in. All of it is already subtracted. The only thing he doesn’t know is what your dice came up with, and that is precisely what you’re counting when you say “77 bits”.

It’s the opposite of what we do with P@ssw0rd, where every last hope rests on nobody thinking to swap the a for an @. They think of it. It’s one of the first rules any dictionary-attack tool applies. If you’re tempted, try it in the checker and see how long it lasts.

The EFF and the alternative lists

In 2016 the Electronic Frontier Foundation published its own word lists for dice-rolled passphrases. The long list keeps the 7,776 entries — same five dice, same 12.9 bits — but changes what’s in them: out go the odd syllables and symbols, in come ordinary words, easy to type and easy to tell apart. They also published short lists of 1,296 words (6⁴, four dice, 10.3 bits per word): one with shorter, more memorable words, and one designed so that every word differs from the others in its opening letters and can be autocompleted. The trade-off is that each roll is worth less and you have to roll more often.

The elegant bit is that the arithmetic doesn’t bend to anyone’s taste. The number of entries is what rules. Make your own list in Welsh, in Swahili or in Klingon: as long as it has 7,776 distinct entries and you choose with dice, every word is worth 12.9 bits. All you’re deciding when you change lists is how pleasant the result feels, not how secure it is.

The three ways to ruin it

Diceware fails in three ways, and all three are the same mistake: the human putting his hands back on it.

  • Rolling again because “I don’t like that one”. Discard results and you’re not using dice any more: you’re using your judgement with a die for a prop. You get what you get.
  • Reordering the words so they sound like a sentence. The order is part of the roll too.
  • “Improving” it with a ! at the end and a capital at the start. That adds nothing against an attacker who knows people put a ! at the end and a capital at the start. If you have to satisfy some idiotic policy, fine, do it — but don’t kid yourself that you gained security: you gained it by rolling again.

And a warning Reinhold gave from the start: ordinary dice are more than good enough — casino dice are more precise, but you don’t need them — roll on a flat surface, and write down whatever comes up.

The short version

A six-word phrase pulled out of dice takes longer to type than P@ssw0rd, is easier to remember than Tr0ub4dor&3, and is many orders of magnitude more expensive to break than either. Not because it’s more devious — it isn’t, it’s six ordinary words — but because it’s the only part of your password you didn’t decide.

That’s the whole joke of Diceware: the best password you can have is the one your opinion had no say in.


Sources: Arnold G. Reinhold, “The Diceware Passphrase Home Page” and his 7,776-word list (1995) · Electronic Frontier Foundation, word lists for dice-rolled passphrases (2016) · the arithmetic is checkable: 6⁵ = 7,776 and log₂(7,776) ≈ 12.92 bits per word.

← Back to the blog