As you may know, there is a method for using dice to create strong passphrases. If users have 6-sided dice, this means the wordlists used in conjunction with this method usually must be 7,776-words long. This means that each additional word chosen gives the resulting passphrase 12.925 bits of entropy.

I argue that we can also use a deck of well-shuffled playing cards as an easy source of human-generated randomness.

If we compress spade and clubs suits into their color, black, and diamonds and hearts into their color, red, we get a nice base-26 source of randomness. This can allow for a word list of 17,576 words, which would provide 14.101 bits of entropy per additional word.

How use playing cards to create a strong passphrase

Set-up

  1. Open this cardware word list in your browser, download it, or print it out.
  2. Prepare any deck of playing cards by removing any jokers. There should be 52 cards in the deck.

Getting a random word

  1. Shuffle the deck
  2. Pick a random card, say a 7 of diamonds.
  3. Write down what card you picked on a piece of paper. In our example, we’d write “R07” (for “red 7” – diamonds and hearts are “red”). If we got the ace of clubs, we’d write “BAc” for black ace. (The list uses “Ja” for jacks, “Qu” for queens, “Ki” for kings, and “Ac” for aces.)
  4. Re-insert the selected card back into the deck. This step is crucial.

Repeat these steps 3 times until you’ve written down codes for 3 cards, for example something like “R07-BKi-RJa” (“Red 7, Black King, Red Jack”). Consulting the cardware list, we see this example correlates to the word “replies”. This is the first word of your passphrase.

Making a passphrase

Repeat these “getting a random word” steps as many times as you like to create a strong passphrase. For example, if we repeated the process 6 times, we might get the passphrase replies tunnels deteriorating repository regeneration treatise (6 words gives about 84 bits of entropy).

Note that you can use any delimiter you like between the words, or none at all (repliestunnelsdeterioratingrepositoryregenerationtreatise).

FAQ

Why not use all 4 suits?

Astute readers may notice that the above process “collapses” hearts and diamonds into “red” cards, and spades and clubs into “black” cards. This effectively discards some of the entropy generated by the deck shuffle, which isn’t great.

The short answer to why I still choose to use colors rather than suits is that 2 cards out of a 52-card deck would correspond to a word list of 2,704 words. I argue that a 7,776 word list for use with dice is a better choice. And using 3 cards from a 52-card deck would require a list of 140,608 words, which is impractical for English.

A longer answer is that 17,576 nicely clears something I call the “brute force line.”

Can I, a human, shuffle a deck well enough to ensure randomness?

I admit I’m not sure. It seems much easy for most humans to roll a number of dice “well” than to shuffle and “randomly” pick out a single card.