Problem solve Get help with specific problems with your technologies, process and projects.

Create secure passphrases with Diceware

David Strom analyzes passphrase creation software Diceware, in this edition of David Strom's Security Tool Shed.

Category: Passphrase creation software
Name of tool: Diceware
Company name: Diceware
Price: Free for the downloading
Platforms supported: All you need is a pair of dice and a Web browser.
Description: A passphrase generation routine that is so easy, so simple, you wonder why more people aren't using it.

**** = Very cool, very useful

Key features
Simple, effective and the ultimate in enhanced security.

You still need an encryption program like PGP or Hushmail to do the complete job of protecting your data.


The biggest problem with any encryption program has to do with the kinds of passphrases that you select to encrypt your documents, e-mail and other daily Internet life. The problem, until recently, is that the more complex the passphrase, the harder it is to remember, and the more likely you'll resort to writing it down someplace that isn't very secure. Thus, many people choose common names, such as those of a spouse, pet, spouse's pet, or other words that are easily guessed if you know something about the person or easily guessed by passphrase cracking programs if you don't.

If you have used a program like PGP or Hushmail, one of the first things you had to do was choose a passphrase. Most of you are probably like me. You chose something that is short and sweet, something that anyone could easily guess. That doesn't help matters if you are using these strong encryption programs.

To see how prevalent this kind of guessing is, my high school networking students once asked me the names of all my pets. It took me a minute to figure out what they were after.

So, what to do? You want a strong passphrase, but you also want it memorable and unique enough so that your data is safe.

Enter Diceware. It isn't really software per se, but it is such a clever idea that when I heard about it, I had to try it out and tell you all about it. The idea is so simple that even a child can do it. Take two dice. Yes, the kind that come in most board games. Roll them a bunch of times and write down the numbers that appear. Collect these numbers into groups of five. Now go to the Web site and download their word list. Lookup the word next to each five-digit number and write them down.

Voila. If you roll your dice 13 times and collect five groups of five numbers each (eliminating one of the numbers at random), you now have an almost unbreakable passphrase. The wonderful thing about this method is that the passphrase is made up of common words, such as "cleft cam synod lacy got." It is easier to remember than something like "as^&zf%r$h$." It is also more secure, because first it is longer, and second the words aren't so obvious to a cracking program as they are just ordinary words that are strung together.

If you want to get fancy, you can find a copy of the game Yahtzee (or, go to this Web site; you don't even need to get the actual game), and roll your five dice at once.

Why five words? According to the math behind this system, a five-word passphrase is about as good as a 65 bit encryption key. That should keep most of the bad guys out of your data for the time being. If you want to be even more paranoid, a six-word passphrase is probably better and around 78 bits of encryption.

How paranoid should you be? The FAQ on the Diceware Web site is worth reading, if nothing more than to give you some ideas of how easy it is for someone to penetrate your systems.

Get Diceware, and get a strong passphrase. If you plan on using PGP or Hushmail or some other encryption product, your business might depend on it.

Strom-meter key:
**** = Very cool, very useful
*** = Hey, not bad. One notch below very cool.
** = A tad shaky to install and use but has some value.
* = Don't waste your time. Minimal real value.

About the author
David Strom is president of his own consulting firm in Port Washington, NY. He has tested hundreds of computer products over the past two decades working as a computer journalist, consultant and corporate IT manager. Since 1995 he has written a weekly series of essays on Web technologies and marketing called Web Informant. You can send him e-mail at

This was last published in February 2002

Dig Deeper on Password management and policy

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.