Passphrase Generator

A passphrase is a sequence of random words used as a password — for example, correct-horse-battery-staple. Instead of trying to remember a string of symbols like X#m9!qL2, you remember a short story or mental image. The randomness comes from how the words are selected (by a cryptographic random number generator, not by you), not from the words being obscure. Common words chosen randomly are statistically far harder to crack than clever-looking passwords chosen by humans.

The concept was popularised by the XKCD comic "Password Strength" and is now the recommended approach by NIST (the US National Institute of Standards and Technology), the Electronic Frontier Foundation, and most professional security researchers.

Passphrase vs password — at a glance

	Passphrase	Traditional password
Example	`flame-orbit-cedar-mist`	`F@m3!x9#Rq`
Entropy (typical)	51–77 bits (4–6 words)	30–50 bits (8–12 chars)
Easy to remember	Yes — words form a mental image	No — symbols are hard to recall
Easy to type	Yes — common words, no hunting for @	No — special chars slow you down
Works on all sites	Yes	Yes
NIST recommended	Yes — length over complexity	No — complexity rules are now discouraged

Why use a passphrase instead of a password?

Traditional password advice — add numbers, symbols, capital letters, make it complex — backfires in practice. It produces passwords that are hard for humans to remember but not actually hard for computers to crack, because humans follow predictable patterns (P@ssw0rd, Summer2024!). Passphrases solve both problems at once:

Easier to remember. Four random words form a memorable phrase or image. You can say them aloud, write them down on paper, or type them without hunting for the @ key.
Statistically stronger. A 4-word EFF passphrase has about 51 bits of entropy. A 5-word passphrase reaches 64 bits — equivalent to a fully random 10-character password with uppercase, lowercase, digits, and symbols.
Resistant to dictionary attacks. An attacker trying to crack a passphrase must try combinations of whole words, not individual characters. The EFF list has 7,776 words, so a 4-word passphrase has 7,776⁴ = over 3.6 trillion possible combinations.
Works everywhere. No special characters required. Every login form accepts plain words, including those that reject symbols or have strict length limits.

How this passphrase generator works

This tool picks words at random from the EFF large word list — 7,776 common English words curated by the Electronic Frontier Foundation specifically for this purpose. Words were chosen to be easy to spell, easy to type, and unambiguous when spoken aloud (no words that sound identical to other words).

Randomness comes from the Web Cryptography API (crypto.getRandomValues), the same secure source used by password managers and cryptographic software. This is a fundamentally different level of randomness than Math.random(), which is suitable for games but not for security. Nothing is sent to any server — generation happens entirely in your browser, and your passphrases are never transmitted or logged.

Passphrase best practices

Use at least 4 words. Three words gives about 38 bits of entropy, which is technically crackable with enough computing power. Four words (51 bits) is the practical minimum. Five words (64 bits) is comfortable for sensitive accounts.
Use a different passphrase for every account. If one service is breached, your other accounts stay safe. A password manager makes this practical — store your passphrases there and only memorise the master passphrase.
Don't choose the words yourself. Human-chosen "random" words are not random — we gravitate toward familiar combinations. Let the generator choose.
Don't use lyrics, quotes, or book titles. Famous phrases are in attacker word lists. Truly random words are not.
Add a number or symbol if required. Toggle the options above to satisfy sites with complexity requirements without sacrificing memorability.

How to manage your passphrases

You only need to memorise one passphrase: the master passphrase for your password manager. Use a 5 or 6-word passphrase for this — it is the key to everything else, so make it strong. Then generate unique passphrases for every other account and let the password manager store them. You never have to remember (or even see) your other passphrases again. Popular password managers include 1Password, Bitwarden (free and open source), and Dashlane.

For accounts where you must type the passphrase by hand — a device login, for example — pick a 4 or 5-word passphrase and practise typing it a few times. The regularity of real words makes them much faster to type than symbol-heavy passwords.

Frequently asked questions

Is this passphrase generator secure?

Yes. All generation happens entirely in your browser — nothing is transmitted to any server. The tool uses the Web Cryptography API (crypto.getRandomValues), which is cryptographically secure randomness, not the weaker Math.random(). The word list is the EFF large wordlist, the same standard used by Bitwarden, 1Password, and other professional password managers. Your passphrases never leave your device.

What is entropy and why does it matter?

Entropy (measured in bits) describes how many possible passphrases could be generated with your current settings. Higher bits means more possible combinations and therefore longer to crack. A 4-word EFF passphrase has about 51 bits of entropy; a 5-word passphrase has about 64 bits. Security researchers generally recommend at least 60–80 bits for sensitive accounts. The crack-time estimate shown assumes a very powerful attacker running 1 trillion guesses per second — at 64 bits, that still takes over 18,000 years.

Can I use a passphrase for banking or work accounts?

Yes. A 5-word passphrase (64 bits of entropy) is extremely strong — far stronger than a typical password like P@ssw0rd123. Most sites accept passphrases as long as they meet any minimum length requirement. For critical accounts (banking, email, your password manager master password), use 5 or 6 words and enable the number option to satisfy sites that require a digit.

What is the EFF word list?

The EFF (Electronic Frontier Foundation) large word list is a curated set of 7,776 common, everyday English words designed specifically for creating diceware passphrases. The EFF selected words that are easy to spell, easy to remember, and unambiguous — removing obscure words, offensive terms, and words that sound like other words when spoken aloud. It is the same standard word list used by Bitwarden, 1Password, and other professional password managers.

How many words should my passphrase have?

For most accounts, 4 words is a reasonable minimum (51 bits). For sensitive accounts — email, banking, your password manager master password — use 5 words (64 bits) or 6 words (77 bits). Adding a number or symbol increases entropy further. The key advantage of passphrases is that more words means both higher security AND easier to remember, which is the opposite of how traditional password complexity advice works.

Who uses a passphrase generator?

Security-conscious users

Replacing weak or reused passwords with strong unique passphrases for every account — starting with the password manager master password

IT administrators

Setting team password policies that are both secure and usable — passphrases are easier for employees to follow than symbol-heavy requirements

Developers

Generating strong secrets for API keys, service accounts, or encryption keys that need to be typeable and auditable by humans

Anyone switching managers

Setting a strong master password when signing up for a password manager for the first time — the one passphrase worth memorising

More word tools

Other tools

What is a passphrase?