Frequently Asked Questions

What changed?

This app was originally built in 2016 with jQuery and Bootstrap. In 2026 it was fully modernized: all runtime dependencies were removed, the UI was rebuilt with semantic HTML and Pico CSS, and all JavaScript was rewritten as native ES modules. The core Diceware algorithm and word lists are unchanged.

New features include multiple passphrase formats (spaces, hyphens, PascalCase, etc.), click-to-remove word tokens, shuffle, automatic dark mode, and crack time estimates for multiple attacker tiers.

How do I use it?

Pick a number (5–9) to generate that many words. The numbered buttons generate a fresh passphrase each time. Use +1 to append a word or +sym to append a special character. Shuffle randomly reorders your passphrase. Click any word token to remove it.

You can also roll physical dice and type a 5-digit result (word) or 2-digit result (symbol) using digits 1–6, then press Enter.

Choose a format (spaces, hyphens, PascalCase, etc.) and copy the result. Store it somewhere safe — close your browser when done.

Is it safe?

For most people, yes. The app uses your browser's built-in cryptographic random number generator to simulate dice rolls. No data leaves your browser.

If you face a nation-state level adversary, the Diceware FAQ recommends rolling physical dice and looking up words manually.

How is randomness generated?

All randomness comes from crypto.getRandomValues(), the cryptographically secure random number generator built into modern browsers. A rejection sampling algorithm ensures unbiased die roll simulation.

Does this send data anywhere?

No. Your passphrase, die rolls, and settings never leave your browser. The app works entirely offline after the initial page load.

Where is the code served from?

Everything is static HTML, JavaScript, and CSS — no server, no database. The code has zero runtime dependencies. The only external file is Pico CSS, vendored locally. All source is on GitHub.

Safety tips

• Understand Diceware and its strengths and limitations.
• Only generate passphrases on a machine you own and control.
• Ensure no one can see your screen.
• Always use HTTPS.
• Close the browser when done.

Why is the EFF word list the default?

The EFF word list was designed to produce memorable, hard-to-confuse passphrases. Other word lists in 20+ languages are available via the language selector.

What do the letter grades mean?

Every word list is run through an automated verification suite that checks structural integrity (correct key format, no duplicates, no encoding errors) and quality metrics (prefix-free words, minimum word length, Unicode normalization). Results are scored as A–F: A means all checks pass, lower grades indicate quality warnings, and F means a structural failure. The grade badge, pass count, and a link to the full report appear below each list’s title.

What is entropy?

Entropy measures how hard a passphrase is to guess. It depends on the method used to select it, not the passphrase itself. More entropy = harder to crack. A coin toss has 1 bit of entropy; each Diceware word adds ~12.92 bits.

— Adapted from Arnold G. Reinhold's Diceware FAQ

How is entropy calculated?

Each word contributes log₂(7776) ≈ 12.92 bits (one of 7,776 possibilities from five dice). Each symbol contributes log₂(36) ≈ 5.16 bits (one of 36 possibilities from two dice). The total entropy is the sum, and the app tracks words and symbols separately.

What does rAnDomCaps do?

Each click on rAnDomCaps randomly selects one word in your passphrase and capitalizes one of its letters, both chosen at random. Each capitalization adds 1 bit of entropy because the attacker must now check both cases for that character position. Multiple clicks accumulate — three clicks add 3 bits.

The trade-off is memorability. A passphrase like “ratio acts pr astor” is much easier to remember than “rATIO Acts PR AsTOr.” For most people, adding another word (~12.92 bits) is a better investment than several random capitalizations. However, when a system limits overall passphrase length, random capitalization is a practical way to squeeze more security out of fewer characters.

Some systems require a mix of uppercase and lowercase letters. For those, the Diceware FAQ suggests capitalizing the first letter of one randomly chosen word. The rAnDomCaps feature gives you finer-grained control — apply as many or as few capitalizations as you need.

Can I run this locally?

Yes. Clone the repository and serve it with any local HTTP server. It works completely offline. No install or build step required.

Would XKCD approve?

Yes.

Credits

• Arnold G. Reinhold — created Diceware
• Ben Pritchard — built the first version of this web app
• Glenn Rempe — enhanced security, modernized the code and UI