Best Security Search

Create Random Passwords with Diceware

This guide will show you how you can understand the Diceware principle to create truly random passwords that are secure to use even for critical applications.

Use the Diceware Method to Create a Secure Password

Passwords are often criticized as being a weak security mechanism. They can be guessed or brute forced easily using specialist tools. A secure passwords needs to be comprised of random characters and have a good length. A good combination needs to feature the following characters – lowercase and uppercase numbers and letters, special symbols (such as $, %, # and etc.) and a length of over 8 symbols. This is the general recommendation proposed by many security experts.

In addition passwords have to be frequently changed in case a data leak occurs. When the credentials are changed on time, the compromised data is no longer valid and thus rendered useless. Generating passwords can often be a hard thing to do as computer users are advised not to use dictionary words. They are easy to guess and efficient to crack as most malicious utilities use dictionary attacks against protected files. When the security policy is followed the generated password proves to be difficult to memorize.

This is where password managers come in. They provide a safe storage solution for all critical username and password combinations and can be a reliable tool for system administrators and privacy-minded individuals. See our guide on using the free utility KeePass. However sometimes there are reasons why people choose not to use this option too.

And here comes Diceware, a password generation mechanism that can provide a secure alternative to creating good passwords.

What and Why to Use Diceware

The initial development of the system happened in 1995 by Arnold Reinhold who created a simple method to create a password by rolling dice. Depending on the dice roll a word was selected from a predefined list and as the rolls are added, so is the password made more secure. Human dice rolls are truly random, as they are not controlled by a computer algorithm (the technique used by contemporary password generators). A classical implementation used a password made up of five words that have spaces between them. This presents an entropy of at least 66.4 bits which is still crackable by a big cracking operation such as a botnet.

All that you need to do is the following:

  1. Gather as many dice as you want the complexity to be.
  2. Download or generate a sample wordlist.
  3. Make the necessary rolls to generate the random password.

A six-word passphrase would be significantly more difficult to crack. As the complexity is increased, so does the password security. Users can opt to use ready made wordlists or create their own. Each word is chosen based on five 6-sided dice rolls. By changing the words in the predefined list to include numbers or special characters, the generated password would be truly random and very difficult to breach.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.