EFF Large Passphrase Generator

EFF Large passphrases: memorable security backed by math

In 2016 the Electronic Frontier Foundation (Joseph Bonneau and colleagues) published three carefully curated word lists for generating passphrases via dice rolls. The flagship EFF Large Wordlist contains exactly 7776 words (= 6⁵), each 5 to 9 letters long, hand-picked to be common, easy to type and unambiguous when spoken aloud. Each word selected uniformly at random contributes log2(7776) ≈ 12.92 bits of entropy.

The technique traces back to Arnold G. Reinhold's Diceware (1995), which used 5 rolls of a d6 to look up each word. The EFF lists modernize Reinhold's original by removing slurs, fixing collisions and balancing length. Two additional lists are provided: the Short Wordlist (1296 words, 4–5 letters each) and the Short Wordlist 2.0, which guarantees a unique 3-letter prefix per word — making autocomplete and typo correction trivial.

How many words do I actually need?

• 4 words: ~51 bits — the xkcd 936 baseline; acceptable for accounts protected by MFA and rate limiting.
• 5 words: ~64 bits — minimum for stand-alone account passwords against an attacker with offline access to a slow KDF.
• 6 words: ~77 bits — recommended modern baseline; resists a well-funded attacker for decades.
• 7 words: ~90 bits — appropriate for password-manager master passwords and disk encryption.
• 8+ words: ~103 bits — quantum-resistant horizon (Grover's algorithm effectively halves the search bits).

Passphrases vs random-character passwords

A 16-character password drawn from the full printable ASCII set has roughly 104 bits of entropy — slightly more than a 7-word EFF Large passphrase — but it is essentially impossible to memorize. A passphrase like correct-horse-battery-staple (the famous example from xkcd 936) is just as strong as a long random string but can survive in a human brain. This is the central tradeoff: passphrases trade a little entropy for enormous gains in usability.

Concretely, you should use passphrases only for things you must memorize: your password-manager master, your disk-encryption passphrase, your SSH key passphrase. For everything else, let the password manager generate and store maximally random strings.

Generating a passphrase with real dice

If you do not trust software randomness — for example when bootstrapping a brand-new password manager — you can generate a passphrase by hand with five 6-sided dice. Roll five times to obtain a 5-digit number between 11111 and 66666, then look it up in the EFF Large list. Repeat for each word.

roll 1: 4 2 6 1 3 -> 42613 -> "judge"
roll 2: 1 5 5 2 6 -> 15526 -> "blurb"
roll 3: 6 1 3 4 2 -> 61342 -> "topple"
...

This is the only generation method whose entropy is verifiable without trusting any software component — including this browser tool.

Wordlist alternatives and the BIP39 case

• BIP39: 2048 words used as Bitcoin/Ethereum wallet seeds (~11 bits per word). Optimized for short, easily transcribed mnemonics — not for human passphrases.
• EFF Short Wordlist 2.0: 1296 words, ~10.34 bits each. Pair with 8+ words for the same total entropy.
• Portuguese unofficial Diceware (Coronel Sousa Pinto and others): community-maintained 7776-word lists. Useful for native speakers but less audited than EFF Large.

Anti-patterns to avoid

• Picking words yourself or tweaking the random output — destroys the entropy guarantee.
• Reusing the same passphrase across services — a single breach exposes everything.
• Writing the passphrase on a sticky note attached to the monitor.
• Choosing a phrase from a famous book, song or movie quote — wordlist-aware crackers test these first.

FAQ

5 or 7 words? 6 is the modern minimum, 7 is safer for master passwords. Five is acceptable only behind MFA.

Can I generate one with physical dice? Yes — roll 5 d6 per word and look up the result in the EFF Large list. It is the most trust-minimizing method.

Is there a Portuguese list? An unofficial community list exists, but it has not been audited at the level of the EFF lists. For maximum confidence stick with English EFF Large.

Are passphrases really safe in 2026? Yes — for memorized secrets they are the gold standard. Quantum threats (Grover's algorithm) effectively halve the entropy in bits, which is why 7+ words is recommended.

Does the separator matter? Hyphens, spaces or no separators all preserve entropy. Use what the target system accepts; just make sure the separator is fixed and not chosen randomly per word.