The EFF Wordlist: How 7,776 Words Became the Gold Standard for Passphrases

Open almost any modern passphrase generator — 1Password, Bitwarden, KeePassXC, the one on this site — and the word list under the hood is almost certainly the EFF's. Published in 2016, it became the de facto standard within a couple of years. The number of words is not a round figure, and there are reasons for that.

Why 7,776?

7,776 is 6 to the 5th power. That is the number of outcomes you get from rolling five six-sided dice. The list is designed for "Diceware" — a method invented by Arnold Reinhold in 1995 where each word is chosen by physically rolling dice. Five dice produce a number like 41525, which maps to one entry in the list.

The constraint is mechanical, not mathematical. You could make a longer or shorter list, but 7,776 is the largest list addressable with five standard dice and no wasted rolls. Each word picks up exactly log2(7776) ≈ 12.92 bits of entropy.

What the EFF Fixed

The original Diceware list dates to 1995 and shows it. It contains:

• One- and two-letter entries (a, z2) that don't feel like words and add typing errors.
• Obscure abbreviations and ham-radio jargon.
• Profanity and slurs that nobody wants to read aloud.
• Words that sound or look almost identical (their / there), making transcription error-prone.

The EFF list, curated by Joseph Bonneau and Joel Gage, replaced these with an English-language list designed for human ergonomics. Every entry is at least 3 characters, no entry is a prefix of another, no two entries share their first 3 characters, and the vocabulary skews toward common, easy-to-spell words.

The "Unique Prefix" Property

The 3-character prefix rule is genuinely clever. It means you can autocomplete a passphrase by typing only the first three letters of each word. cor can only mean correct. hor can only mean horse. Password managers and CLI tools use this to make long passphrases practical to type.

It also means that even if you misremember a word slightly — say, battery vs batteries — only one is in the list, removing ambiguity when typing it back from memory.

The Entropy Math

Each word from a 7,776-word list contributes log2(7776) ≈ 12.92 bits of entropy. Standard recommendations:

• 4 words — ~51.7 bits. Borderline. Fine for low-stakes accounts behind a rate-limited login, weak against offline cracking.
• 5 words — ~64.6 bits. The EFF's recommended minimum. Resists most offline attacks today.
• 6 words — ~77.5 bits. Strong. The default many password managers ship with.
• 7 words — ~90.5 bits. Master-password territory.
• 8 words — ~103.4 bits. Cryptographic-key strength, still memorisable with effort.

The math only holds if word selection is uniform and random. Picking words yourself — or generating them and then "swapping one because it sounds funnier" — collapses the entropy fast. Once a human filters the output, an attacker's search shrinks accordingly.

The Other EFF Lists

Alongside the main 7,776-word list, the EFF released two "short" lists of 1,296 words each (6^4, addressable with four dice). Both trade entropy per word for shorter, more memorable words. Use these only if you need to type passphrases very frequently and you compensate with extra word count: a 7-word short-list passphrase still hits ~72 bits.

There are also localised lists for non-English speakers, maintained by the community. The structural rules — uniform prefix length, no ambiguous pairs — carry over.

Why It Beat Every Predecessor

The EFF list is open, professionally curated, free of trademark and copyright entanglements, and audited by cryptographers. It is the first wordlist that password manager vendors could ship without legal review or quality concerns. That, more than any technical innovation, is why it took over.

If you generate a passphrase today on almost any reputable tool, you are getting words from this list. The fact that you have probably never thought about it is a sign that the engineering worked.