Passphrase generator
Generate strong, memorable passphrases from random words — secure randomness, entirely in your browser.
Runs 100% in your browserHow to generate a passphrase
- Choose word count. Pick how many random words (5–6 is a good default).
- Set options. Choose a separator, and optionally capitalise words or append a number.
- Generate and copy. Click Generate for a fresh passphrase, then copy it.
Why random words beat a clever password
The idea behind a passphrase — popularised by the Diceware method and the well-known XKCD "correct horse
battery staple" comic — is that human-invented passwords are predictable and machine-generated random words
are not. When you choose a "memorable" password you lean on patterns attackers already model:
a capital at the front, a word, a year, a ! at the end. A string of words picked at random from
a list carries no such pattern, so it can only be attacked by brute force — and brute force against enough
random words is hopeless. Crucially, the words must be chosen by the machine; a phrase from your favourite
song or a famous quote is in every cracking dictionary and gives almost no protection.
How the entropy number is calculated
The strength readout isn't a guess — it's exact. Each word contributes log₂(list size) bits of
entropy, and the bits add up across words, so the total is simply words × log₂(list size)
(plus a little more if you append a random number). Doubling the list size adds one bit per word; adding a word
adds a full word's worth. That's why adding words is the strongest lever — far more than
capitalising or sprinkling in a digit, which each add only a bit or two total. A six-word passphrase clears the
70-bit mark that's comfortable for important accounts, and every extra word raises the bar by the same large
jump. The estimate assumes the attacker knows the method and word list, which is the honest, worst-case way to
measure it.
Separators, numbers and where to keep it
The separator and "append a number" options exist mostly to satisfy sites that demand mixed character types — they add a touch of entropy but their real job is passing a validator without weakening anything. Spaces or hyphens between words also make a passphrase you must type (a laptop login, a disk-encryption key) far less error-prone than a dense random string. For everything else, generate it here, paste it into a password manager, and let the manager remember it — you only need to recall the one master passphrase protecting the vault. When a site allows it and you'll never type the value by hand, a fully random password is more compact for the same strength; the passphrase wins whenever a human has to read or key it in.
Frequently asked questions
- A passphrase of several random words is far easier to remember and type than a random character string of equal strength. Four to six random words give strong entropy while staying human-friendly.
- Words are selected from a curated word list using the Web Crypto API (crypto.getRandomValues) — a cryptographically secure random source — entirely in your browser. No words leave your device.
- Strength depends on the word-list size and the number of words. The tool shows the estimated entropy in bits live; aim for 70+ bits (typically 5–6 words) for important accounts.
- Adding a digit or capitalising words slightly raises entropy and helps satisfy sites that require mixed character types. The biggest lever, though, is simply adding more words.