Passphrase Generator

Create a strong, memorable passphrase from random words — easier to type than a random string, and strong enough to resist brute-force attacks.

Generating…

Click to copy

Strong
Words5 words
Separator

A passphrase is a secret made from several ordinary words strung together — for example, “correct-horse-battery-staple” — rather than a tangle of random characters. The concept was popularized by diceware, a method invented by Arnold Reinhold in 1995 where physical dice rolls select words from a numbered list. The Electronic Frontier Foundation later released its own 7,776-word EFF wordlist, carefully curated to contain only common, easy-to-spell English words so the resulting passphrase is genuinely memorable. This generator uses that same EFF list.

Security comes from combinatorics. Each word is chosen uniformly at random from 7,776 options, so every word contributes log₂(7,776) ≈ 12.9 bits of entropy. Five words therefore yield roughly 65 bits of entropy; six words yield roughly 78 bits. Sixty-five bits is considered sufficient to resist offline brute-force attacks even with modern GPU clusters, while 78 bits provides a comfortable additional margin. By contrast, a typical remembered password such as “P@ssw0rd1!” carries far fewer than 30 bits of real-world entropy once patterns and substitutions are accounted for.

Passphrases shine wherever you must type a secret by hand — full-disk encryption recovery keys, password manager master passwords, SSH key passphrases, or any account you log into on a device that lacks autofill. Because the words are meaningful, a five-word passphrase is far easier to memorize than a 20-character string of random symbols, yet equally resistant to dictionary attacks: the randomness lives in which words were picked, not in which characters were substituted.

Everything here runs entirely in your browser. No words, no generated passphrases, and no preferences are ever sent to a server. The randomness is sourced from your browser's built-in crypto.getRandomValues() API, the same cryptographic primitive used by secure key-generation tools. Reload the page, disconnect from the internet, and the generator works identically — because it has no server to contact.

Frequently Asked Questions

How many words should a passphrase have?

Use at least five words. Each word from the 7,776-word EFF list adds about 12.9 bits of entropy, so a five-word passphrase has roughly 65 bits — enough to resist offline brute-force attacks. Six words (~78 bits) gives a comfortable margin for high-value accounts.

Is a passphrase as secure as a random password?

Yes, when it has enough words. Security comes from entropy, not from looking complicated. A random five-to-six-word passphrase matches or exceeds the entropy of a typical 12–16 character password while being far easier to type and remember. The key is that the words are chosen randomly, not by you.

Are these passphrases generated privately?

Yes. Every passphrase is built in your browser using the crypto.getRandomValues() API. No words, passphrases, or settings are ever sent to a server, logged, or stored. You can disconnect from the internet and the generator still works.

Written & reviewed by Andrew Ivanov, Fractional CTO. Last reviewed .