About

Diceware is a method of creating random passphrases using "dice" as the random number generator. GoodPassphrase.com has implemented a digital die to make really fast rolls for you.

Here are some more detailed write-ups on Diceware. Short story: Diceware can generate really strong passphrases that are really hard to guess, even if the guesser knows you used the Diceware method.

• Diceware | wikipedia.org
• EFF Dice-Generated Passphrases | eff.org

An online attack is when a hacker has to interact with another system to try a password (like trying to login to Gmail). This type of attack is capable of far fewer guesses per second (≈1000/sec). Any password generated here will be time-resistant to this attack. For example, a two-word password with no numbers or special characters would take on average 115 millennia at this rate to guess.

An offline attack is when the hacker has a cryptographically hashed copy of your password (like your Windows password) and they can rapidly try different passwords to recreate that hash. This method can all happen on a single computer (or cluster of computers) and is capable of a much higher guess rate (up to ≈100 billion/sec according to some sources).

Without knowing how a generated passphrase will be used, I focused on communicating the average time to guess for offline attacks.

GoodPassphrase.com uses the Electronic Frontier Foundation's large wordlist. For a deep dive on this word list and the math which lets us determine the average time to guess a password, read Deep Dive: EFF's New Wordlists for Random Passphrases | eff.org.

If you opt to append a special character, it will be one of thirty, using Azure AD's password policy as a reference for allowed characters: @ # $ % ^ & * - _ ! + = [ ] { } | \ : ' , . ? / ` ~ " ( ) ;

Given the math in the EFF deep dive, I compiled the following static complexity calculations which drive the "average time to guess" values you see in the passphrase generator:
Diceware-Passphrase Complexity Calculations | docs.google.com