Everyone should be using a good password manager, there is simply no better way to remember multiple strong and unique passwords for every website, service, and app that you use.
The only real snag is that password managers are themselves secured with a master password. This is something that worries many people, as it provides a single point of failure and a chain is only as strong as its weakest link. If that one password becomes compromised then all your other passwords do too.
The use of two-factor authentication mitigates this problem quite considerably, but the fact remains that a lot of rides on the master password being both secure and memorable.
It can be difficult to remember genuinely secure passwords, and you can't, of course, use your password manager to remember it for you!
The same issue affects unlocking mobile phones and other situations where a strong password is needed before you can deploy a password manager.
So what we need is a password which is genuinely secure, but which we can actually remember...
What is Diceware?
Diceware is a method that helps to improve password security by randomizing word selection to create "passphrases" that humans can remember. Although memorable, these passphrases are also extremely secure. Below we have listed some examples of Diceware passphrases:
- sediment preschool reactor area crux plentiful domestic
- entitle slinky vigorous blinking exhaust fresh lunchtime
- reappear roving pectin twirl antacid folic marbles
Each word adds 12.9 bits of entropy to the passphrase. The above examples all use 7 words (90.47-bit entropy), but you can use as many as you like. The minimum recommended number these days is 6 (77.55-bit entropy), up from the original recommendation of 5 (64.62-bit entropy). More than 10 words can be very hard to remember.
Why Passphrases are secure
One key factor affecting the security of a password is how long it is (its size in bits). Sentences are longer than words, with the bonus that spaces and capitals add additional entropy (in the same way using -#$, etc. in a password makes it harder to guess or brute force).
“I like taking Spot my dog to the park on rainy days,” is a lot more secure than “spotismydog,” but it is also easy to remember.
So a passphrase you can remember is almost always better than a password you can remember (as opposed to a computer-generated one you are unlikely to).
Which is all well and good, but it's still not that secure, humans can’t help but think in patterns, and invariably make up sentences which have some kind of logical sense or meaning to us, using words which have a guessable relationship to each other.
How does Diceware work?
Diceware uses a list of 7776 short words, abbreviations, and easy-to-remember character strings to generate a word. To use, simply throw five dice (yes, actual physical 6-sided dice) one at a time, or all at once reading from left to right, and cross-reference the result with the list.
Below is a short sample from the original Diceware list:
Diceware recommends doing this six times to create a random combination of six words for great security, but if you are worried about remembering too many words, you can do this as many times as you choose.
Since the original list was created in 1994, additional lists have been created to cater to some 30 different languages. In addition to this, in 2016 the Electronic Frontier Foundation (EFF) published three alternative English lists using words which are on average longer than in the original, but which are intended to be easier to remember.
There is also a special list for adding symbols and other weird stuff (&^%#@) that some password forms insist on.
Can I use a computer to generate Diceware passphrases?
It is, of course, possible to use a computer to do the hard work for you. Indeed, many password managers (such as KeePassXC below) and websites offer to do just this.
You should be aware, however, that computers really struggle with genuine randomization. The clue is in their name - they compute. They can simulate randomization by computing algorithms to reach a result, but because they are just algorithms, the “pseudorandom” numbers generated ultimately predictable.
It's up to you, but using real physical dice to generate Diceware passphrases is much more secure than relying on a computer algorithm to do it for you.
Diceware is completely free to use. Word lists and full documentation is available on the official Diceware Passphrase home page.