BIP-39 already has wordlists for a number of languages, so we can probably stick to those, even if they are not particularly great.

https://github.com/bitcoin/bips/tree/master/bip-0039

Fortunately, unlike the canonical use-case for BIP 39, it doesn't matter if we switch the word lists later for improved ones! So I'm +1 on this, and will follow in rage.

The BIP 39 wordlist has a lot of prefix words, leading to confusion when passwords are created without separators, e.g. uselessoncereal which can mean either useless-once-real or use-lesson-cereal, all words from the dictionary. Also, some prefixes in that are very underused, for instance there are no words that start with the letter x. The EFF wordlist is full of very long and complex words often with only slightly different suffixes. I would suggest rather using ours for English:

https://github.com/covert-encryption/covert/blob/main/covert/wordlist.py

In this list all words are 3-6 letter long to avoid large variation in password lengths, and to keep them simple. Every 3-letter prefix is unique, allowing autocompletion of words after only 2 or 3 letters have been typed, and at the same time avoiding the aforementioned problem. We try to include words that are not easily misread when no separators are used (e.g. badge had to be replaced by bad which it was naturally seen as anyway).

Similar lists can be generated for other languages with the simple script that we used for this one, if large lists to be used as a starting point are available. It will require some manual exchange of words for maximal quality though. Our list is under development and we expect a few more words being replaced in the coming weeks until it is finalised.

Generated passphrases in both age and rage use hyphen-separated words, so prefix confusion is not a concern here.

@str4d I am well aware of that, but tab completion is also a nice thing to have especially with 10-word passphrases. Four easily memorable words, autocomplete, no wordbreaks and strong hashing might still be better for file encryption, leaving 10 word (110 bit) phrases for seeding cryptocurrency wallets and other functions where the output must be globally unique.