As is often the case for hackers, there is an XKCD comic that explains the problem. A good passphrase consists of a number of randomly chosen, common words.
What the comic does not explain is how to truly randomly select the words. The answer to that is diceware. It is rather simple, you throw five dice and look up words in a list a few times.
The diceware website does provide these lists of words, but i didn’t really like them. There were two problems with the list:
- Formating was basically nonexistant,
- and there were lots of non-alphabet characters.
The solution was obvious: when the old lists aren’t good, i needed to make new ones.
The lists
There are four lists ready to download, the names pretty much tell what is what:- Deutsche Wortliste für Diceware, für W20.pdf
- Deutsche Wortliste für Diceware, für W6.pdf
- Diceware English word list for use with d20.pdf
- Diceware English word list for use with d6.pdf
Word origin and selection
As the base for the words i used BEOlingus online dictionary. They have a word list free to download, under the GPL v2.
I then munged that list in a number of ways until i had two lists, one English one German, of short words consisting entirely of the lower-case letters a to z. From those i randomly picked 7776 words for the classical five 6-sided dice word selection and 8000 words for the three 20-sided dice word selection.
This last selection means that there are some strange words in the list. Maybe i’ll pick words by hand at some later date.
On rolling dice
One point i’d like to reiterate is the ordering of dice when you roll the five dice for a single word together. The diceware web-site does mention that “(i)f you do roll several dice at a time, read the dice from left to right.” You need strict rules how to order the dice. When you just decide the order of the dice on the spur of the moment, an import degree of randomness is lost.
The procedure i use with six-dided dice is
- Always use a throwing cup
- Shake it well for each throw
- Throw the dice so there is room to move them away from you.
- Dice stacked on top of others are counted first. Place them on the side, keeping the thrown value.
- Then take a pen and push the dice away from you untill they are arranged in neat rows.
- Now read them by rows, then by columns, from top to bottom, from left to right.
- If in doubt if it should “count”, throw again
The exact rules aren’t important. What is important is that there are rules to decide the order.
Another way to decide is to use five distinct dice, (one red, one white, one green, one big one small, ...), and have a strict order based on the dice themselves.
For 20-sided dice, that typically come in a variey of colors, this method is more common. (Also, the method of pushing the dice untill they are in a row is harder to do as the D20 tend to roll rather then slide.) I personally have a blue, a white and a green D20 and use them in that order.