Daily Inspiration
Design excellence, every day.
Jury-selected work from the A' Design Award, presented fresh each morning.
Each word chosen by five dice from the EFF wordlist. Watch them roll.
In 1995, Arnold Reinhold published a simple, powerful idea: roll five physical dice, look up the resulting five-digit number in a word list, and repeat until you have a passphrase. The method is called Diceware, and its genius lies in making randomness visible. You can watch the dice, verify the rolls, and trust the result because you controlled every step. In 2016, the Electronic Frontier Foundation published a refined wordlist of 7,776 carefully selected English words: common, distinct, easy to spell, and resistant to confusion.
Five six-sided dice produce 7,776 equally likely outcomes (6 raised to the fifth power). Each word selection from the EFF list therefore carries log2(7776) = 12.9 bits of entropy. Six words deliver 77.5 bits. Seven words reach 90.4 bits. Eight words provide 103.4 bits. These figures describe the search space an attacker must exhaust through automated guessing. At one trillion guesses per second, a six-word passphrase requires on average 2.4 million years to crack.
The mathematics is precise because the word count governs the entropy completely. Adding one word multiplies the possible combinations by 7,776. A seven-word diceware passphrase is 7,776 times harder to crack than a six-word one. This exponential growth is what makes passphrases so powerful with so few components.
A passphrase like radar clamp trophy pencil bazaar flint contains 77.5 bits of entropy. A truly random password of equivalent strength using all character classes (uppercase, lowercase, digits, symbols) would need approximately 12 characters. The critical difference: most humans can memorize six common words after reading them twice. Memorizing 12 random characters like k$9Tm!vX2p#q typically requires writing it down, which introduces a physical security risk. The passphrase lives comfortably in memory while providing equivalent or greater mathematical strength.
Every word on this page is selected by generating five independent random values from 1 to 6, simulating five physical dice. The dice grid above the passphrase shows the exact values that produced each word. This transparency is fundamental to the Diceware philosophy: the randomness source is visible, auditable, and understandable. Your browser creates these values using crypto.getRandomValues(), the Web Cryptography API specified by the W3C. The same hardware entropy source secures your online banking sessions.
The right word count depends on what the passphrase protects. For general web accounts, six words provide excellent security (77.5 bits). For high-value accounts such as primary email, password managers, or encryption keys, seven or eight words add substantial safety margin. For particularly sensitive applications, ten words deliver 129 bits of entropy, exceeding the security level of a 128-bit encryption key.
Diceware makes an excellent probability exercise because it directly connects abstract entropy calculations to a tangible outcome. Have students visit /diceware/4 and watch the dice grid. Each student sees four words produced by twenty dice rolls. Ask the class: how many possible four-word passphrases exist? The answer, 7,776 to the fourth power (approximately 3.66 trillion), tends to surprise students who think of passwords as short character strings.
For a deeper exercise, bring physical dice to class. Have each student roll five dice, look up the word in the published EFF list, and repeat four times. Compare the physical passphrases to the digital ones. The discussion around whether physical dice and digital generators produce equivalent randomness opens the door to concepts of entropy sources, hardware random number generation, and the mathematical definition of fairness. The tool requires no accounts and processes no student data. Every passphrase stays in the student's browser.
The dice83 diceware generator runs entirely inside your browser. The server delivers this page, including the EFF wordlist. Your device generates the random dice rolls and selects the words locally. The passphrase never leaves your browser's memory. It exists nowhere else: no server log, no database, no analytics pipeline.
When you share this tool with a friend, you share the configuration URL, which specifies only the word count. The passphrase itself is absent from the shared link. Your friend's device generates a completely independent passphrase from its own random number generator. The URL carries the tool configuration. Your device carries the secret.
Share this tool with friends and colleagues. The link carries the word count only.
Daily Inspiration
Jury-selected work from the A' Design Award, presented fresh each morning.
