It actually will as long as they are RANDOM words. The random is the hard part. Humans are actually very bad at coming up with random values. If you ask people to pick a random number between one and ten a significant portion (usually 20% to 50%) will randomly pick seven and very few will pick one or ten.
Apart from the "random" issue, there is one more problem.
The site quoted is using a list of 7776 English words, but if you ask me to pick a few words myself, I would probably be picking the words from just a few hundred words (probably items in my house, people's name, brand name etc.).
BTW, how is the entropy of the password calculated?
Well since each word is random and there are 7776 possible outcomes that means each word has Log(7776) = 12.925 bits of entropy each. The entropy of the password would be # of words * entropy of each word.
5 words = ~64 bits <- sufficient for low security applications*
6 words = ~78 bits
7 words = ~90 bits <- sufficient for medium security applications*
8 words = ~102 bits <- sufficient for high security applications* which rely on an additional factor (i.e. bitcoin wallet requires passphrase AND the actual wallet.dat)
9 words = ~116 bits
10 words = ~130 bits <- beyond brute force of nation states both today and into the conceivable future
* This assumes the passwords are stored securely using a key derivation function (strong hash, thousands of rounds, per record salt)
DISCLAIMER: I strongly recommend against using a brain wallet for any reason but if someone is going to use them they should have a realistic understanding of what level of entropy is necessary to prevent compromise.
Brain wallets require no second factor so the only security is a sequence which simply can't be brute forced by anything possible today (even by nation states) or for the foreseeable future. >128 bits of password strength is considered beyond brute force due to the sheer energy requirements necessary to search that keyspace. Remember with a brain wallet attacker(s) can simply precompute all probable keys (and that would include shorter diceware sequences). They can continue forever and slowly expand the database of know addresses.
So the only real security would be a passphrase which is beyond brute force, anything else could have already been broken before you ever used it, or could be broken at any point in the future.
So for RANDOM passphrases we are talking about:
Dicewords (7,776 words) = 10 symbols (words)
All keyboard symbols (95 unique printable symbols on standard US keyboard) = 20 symbols
Case sensitive alphanumeric (a-z, A-Z, 0-9) = 22 symbols
Case insensitive alphanumeric (a-z, 0–9) = 26 symbols
Case insensitive Latin alphabet (a-z) = 28 symbols
Arabic numerals (0–9) = 40 symbols
So of these sequences I know which one is the easiest for me to memorizechive edt oat puffy crust kiss long omaha lucky bank
2q4$7hG33d$EAV$gsaR4
NSQPYAFSNTAKNPMVZDRRKWXXACVW
TU9MQW97U99D42Y7TS4J6EGGKN
3363486927993949454245366885937555332592
Remember this only applies to truly random sequences. Human "random" passwords, ones based on symbol substitution (p@ssw0rd!), or taken from a book/move/song have
significantly less entropy. For most of those it is only a matter of time until they are precomputed by attackers.
