I'd point you to the EFF's guide on how to do this and this article by Micah Lee. Note that you will have to use either the Orchard Street Diceware List or one of the Short Lists.
Some password managers allow users to use any given wordlist file to generate passphrases. KeePassXC (v 2.7+) is one such password manager.
To have KeePassXC use one of these wordlists, click on KeePassXC's dice icon to open the password generator, then click over to the "Passphrase" tab, then click to + button to choose a word list file.
That depends on your threat model, so I can't give a general answer. But if I were forced to give a general rule of thumb, I'd say using 6 words from the long or medium lists (e.g. "fig phases telephone cowboys warning lit") and 7 words from a short list (e.g. "robe towed wooded cue hasty cups each") is a safe bet.
- The Buttercup password manager now uses the Orchard Street Medium list as its passphrase word list.
- Strongbox offers the Orchard Street Diceware list to users looking to generate passphrases.
If you find other examples, feel free to create an Issue or PR!
I created a passphrase generator that uses the Orchard Street Wordlists that I call Phraze.
If you don't trust me or like Rust, there's also Micah Lee's passphraseme tool. Use the -d / --dictionary option to use an Orchard Street Wordlist file.
No. All Orchard Street Wordlists are uniquely decodable, which means words from any one of them can be safely combined in a passphrase without punctuation between the words, e.g. "thrillerconcernclearedevidencestretchapple". Though there's nothing wrong with putting a space, hyphen, underscore, etc. between the words if you prefer.
What's the difference between the Orchard Street Diceware List and the EFF "long list"? They both have 7,776 words...
They're pretty similar! Both the EFF's long list and the Orchard Street Diceware List contain exactly 7,776 words. This is so that each word can correspond to the roll of 5 6-sided dice. Both lists are also uniquely decodable, which means passphrases from them don't need separators between words.
One difference is that the EFF list is uniquely decodable because it has no "prefix words". The Orchard Street Diceware List was made uniquely decodable through a novel process I invented called Schlinkert pruning (and thus, the Orchard Street Diceware List does have prefix words in it). I'll also note that EFF list's mean word length is ever so slightly shorter (by 0.07 characters).
Lastly, the EFF list does include some weird words, like "grope", "gonad", "ecard", and "footsie", some hyphenated words like "drop-down" and "yo-yo", plus some Apple device names ("ipad", "iphone", "ipod").
All that said, the EFF list is definitely more well-known and the more widely used choice, so it's the less risky choice. But if you're here reading this FAQ, maybe you want to try new things...
I'm creating a passphrase I know I'll frequently be entering into a smart TV or video game console. Which list should I use?
Entering secure passwords on a smart TV remote or video game controller is a pain. To make this easier, the Orchard Street Short Lists are optimized to minimize the number of "clicks" you must execute to enter a passphrase.
This number of clicks depends on the keyboard layout. If the service's password keyboard looks like a traditional QWERTY layout:
qwertyuiop
asdfghjkl
zxcvbnmuse the Orchard Street Qwerty List.
If it's closer to alphabetical order:
abcdef
ghijkl
mnopqr
stuvwx
yzuse Orchard Street Alpha List.
You can read this blog post for more information.
I'm creating passphrase-generation software. Can I use one or more of the Orchard Street Wordlists in my project?
Sure! Just be sure to follow the appropriate license (see readme file).
If I wanted a really long list, can I combine all of the Orchard Street Wordlists into one super long list?
I would NOT recommend doing this. The reason is that, even if you removed duplicate words, the resulting list would almost certainly not be uniquely decodable, an important quality.
Though if you do feel the need to edit an existing list or make you're own word list, you're welcome to use a tool I wrote called Tidy, which can make lists uniquely decodable using a variety of methods, including Schlinkert pruning.
Lastly, if you want a very long uniquely decodable list, you can try this 40,000-word list I created as part of another project.
The words that make up these word lists are taken from two sources: Google Books Ngram data and (English) Wikipedia, via a Wikipedia word frequency project.
The lists were made uniquely decodable using a process based on the Sardinas–Patterson algorithm that I call Schlinkert pruning.
- Common Word List Maker: Scrapes Google Books Ngram data to create a long word list of commonly used words
- Wikipedia word frequency generator: Gather word frequencies from Wikipedia articles.
- Tidy: A command-line utility for editing word lists. I wrote this one!