EFF Short Wordlist 1 Passphrase Generator

EFF Short Wordlist 1: short, typeable, still strong

The EFF Short Wordlist 1 was published in 2016 by Joseph Bonneau at the Electronic Frontier Foundation as a faster-to-type companion to the now-famous EFF Large list. It contains 1296 words (vs the Large list's 7776), each capped at 5 letters or fewer. That cap is the whole point: typing a passphrase like able-acid-aged-also-area-army on a phone keyboard is dramatically faster than typing trombone-decompose-mountaintop-saxophone-armored-volcano. The list still derives from rolling dice — Diceware-compatible, just 4 dice per word instead of 5.

Entropy: 10.34 bits per word, and what that costs you

Each Short word contributes log₂(1296) ≈ 10.34 bits of entropy, versus 12.92 bits for a Large word. The trade-off is concrete:

• 4 Short words ≈ 41 bits — weak. Online brute force survives if the service rate-limits, but offline crack would fall in minutes.
• 6 Short words ≈ 62 bits — borderline. Roughly the strength of a random 10-character mixed password. Fine for low-value accounts, not for password-manager master keys.
• 8 Short words ≈ 83 bits — safe against offline attacks today. The sweet spot for a master password.
• 10 Short words ≈ 103 bits — quantum-resistant margin. Overkill for most threat models, sensible for cold-storage seed protection.

A useful rule of thumb: 6 Large words ≈ 8 Short words in entropy (~78 vs ~83 bits). You pay 2 extra words for the savings in average word length (4 chars vs 7 chars). On a phone keyboard, that's still a net win in typing time.

Short 1 vs Short 2: prefix property

EFF also published Short Wordlist 2, same 1296 words, but with the added constraint that every word has a unique 3-character prefix. That property makes Short 2 the right choice if you plan to autocomplete the passphrase from a 3-letter typed prefix (some password manager UIs do this). For pure passphrase generation with no autocomplete, Short 1 is the right pick — slightly more natural-looking English words, no prefix gymnastics. The bitrate is identical (10.34 bits/word) in both lists.

When to choose Short over Large

Pick Short when typing speed matters more than absolute minimum word count:

• Phone keyboards — the biggest win. Short words mean fewer keystrokes per word and fewer autocorrect surprises.
• Master passwords typed daily — 1Password, Bitwarden, KeePassXC vaults. The seconds add up.
• Wifi guest passwords on whiteboards — visitors will copy it by sight; shorter words = fewer transcription errors.
• Voice dictation — Siri/Google Assistant handle short common words more reliably than 8-letter outliers.

Pick Large when storage or display real estate matters more than typing speed: a Yubikey static password slot, a printed cold-storage seed, a server-side secret never typed by a human.

Tooling and ecosystem

EFF Short 1 is supported as a built-in generator in Bitwarden (open source, web/mobile/CLI), 1Password (custom wordlist option), and KeePassXC (passphrase generator). The original spec lives at eff.org/dice, with the raw .txt downloadable for self-hosted generation. On Linux, apg and pwgen support Diceware-style lists. For Brazilian Portuguese, there is no official EFF Short PT list — your options are to compose your own from a curated short-word list, or fall back to the BIP39 PT list (2048 words, 11 bits each) used by crypto wallets.

FAQ

Short or Large? Short if you type the passphrase on a phone or daily on a laptop; Large if storage or printout space matters more than typing speed.

Minimum word count? 6 words ≈ 62 bits (decent, but not for master keys). 8 words ≈ 83 bits is the safe modern floor for a master password.

Why not just use random characters? Same entropy is easier to memorise as words: 8 short words ≈ 83 bits is human-rememberable; an equivalent 13-character random ASCII string is not. xkcd 936 was right.

Can I pick the words myself instead of rolling dice? No — the moment you pick, you bias the distribution toward common/memorable words, and an attacker exploits exactly that bias. Use a CSPRNG (this page does) or actual dice.