I discovered Diceware a few months ago when looking for a password generation scheme for my company. We were just letting people choose their own passwords before, which I don't think is a good idea. I really like it. My only annoyance, which isn't really the fault of Diceware, is that for lots of passwords I am required to have a capital letter, a digit and/or a special character. Obviously this is to try and increase the entropy in the password, but I know that I have enough entropy in my diceware password and I just want something easy to type.<p>I also discovered the password strength estimator zxcvbn at about the same time. It's pretty clever. It works out which password generation schemes could be used to generate your password and then uses that information to calculate the entropy correctly (assuming the attacker would know what scheme you used).
If anyone wants to generate Diceware passphrases, I wrote a small JS library that does this in a portable manner.<p><a href="https://github.com/resonantcore/lib/blob/develop/js/diceware/diceware.js" rel="nofollow">https://github.com/resonantcore/lib/blob/develop/js/diceware...</a><p>It's identical to the one that ships with the EFF's OpenWireless router firmware.
My short Python script that generates diceware passwords. Because dice is often out of reach.<p><a href="https://github.com/shamrin/diceware" rel="nofollow">https://github.com/shamrin/diceware</a><p>I hope it doesn't have security problems. But feel free to prove me wrong!
This feels like more of a solution looking for a problem, to me. Why? Because even if I increase the entropy of my passwords/passphrases for systems I have to use every single day, the vast majority of them are still going to need me to use numbers and special characters, AND make me change the password in the region of every 30-40 days.<p>Going to all this trouble to generate an admittedly excellently secure password continues to pass the burden of good passwords on to the end user whilst doing nothing to alleviate the core problem, namely that I have to regularly use about 10-20 passwords each day.<p>My preferred solution is www.passwordchart.com<p>In this, I select one very good password/passphrase (for which I could use this method) and then I use an indicator of where I'm logging into to generate site/program specific passwords, e.g.,<p>Phrase: cleft cam synod lacy yr wok<p>Password: 123facebook321<p>Generates: yb63476F9xk6RjGVyp6yp6Hj8347b6y (with +Include Numbers ticked)<p>Phrase: cleft cam synod lacy yr wok<p>Password: 123twitter321<p>Generates: yb6347963m6mj963963RjfRd347b6y (with +Include Numbers ticked)<p>So, for my remembering <i>one</i> complex passphrase and <i>one</i> strategy for generating passwords I can generate strong, complex passwords for any site I need and don't have to remember a single one of them. The only pre-requisite I have to get into a site on another machine from my own is that I have internet access (or have a printed copy of the matrix, or something like that).<p>(My dependence on this website is the one weak link in this, and I have actually implemented something similar on my own webspace that I just need to tweak usability for a bit before I switch over.)