Is This Safe?
Yes! The passwords are generated entirely on your computer: no information is sent back to the server except for your browser requesting the wordlist.
Please note, however, that your browser does not support the Web Crypto API which provides cryptographic functionality. The standard Math.random function is being used in its absence to generate random values when deriving new diceware passwords. In general, this should not affect the strength of your password but it is considered a less-than-ideal practice.
Diceware is a scheme for generating passwords, created by Arnold G. Reinhold in August of 1995. Arnold's original page describing the process is – surprisingly – still around and – more surprisingly – still updated regularly. This tool will generate diceware passwords for you, but with some subtle differences.
Firstly, I'm using the EFF's “Enhanced” Wordlist for diceware which replaces many of the rare and unusual words in Arnold's original list with words that are slightly longer but easier to remember.
However, some words in the EFF's list are product or company names, so I have replaced these as follows:
- facebook → faceoff
- ipad → ionically
- iphone → ionizable
- ipod → ipswitch
- itunes → itty-bitty
- nintendo → ninefold
- lego → leghorn
- myspace → mystery
- superbowl → supine
- walmart → walkup
- xbox → x-axis
- xerox → x-ray
I may have missed some, so further words may be replaced in the future.
The second difference is that Arnold suggests using a wordlist with a length that is a power of two generating diceware passwords by machine (and even provides a list with 8,192 words). I decided that I preferred the EFF's list (with 7776 words) and that any benefits from even powers of two and the slight loss in entropy to be acceptable.