Passphrase Generator
A memorable string of random words for the one password you have to type.
Most of your passwords should be long random strings your manager remembers for you. One or two cannot be, because you have to type them from memory: the master password to your vault, and the key to an encrypted disk or backup. A passphrase solves that. This tool strings together random words from a vetted list, made entirely in your browser, so you get something a person can remember and a computer cannot guess. Nothing is stored, and nothing is sent anywhere.
For the one password you must type and remember, like a vault or disk key. Made in your browser; nothing is stored or sent.
Turn on JavaScript to generate passphrases. Nothing is sent anywhere; passphrases are made on your device, never stored.
How to use it
Pick the number of words and a separator, then generate and copy. The defaults are strong, so you can paste straight away or adjust first.
More words, more strength
Drag the slider to the number of words you want. Four is a good floor, and five or six suits a vault master password you mean to keep for years. The strength readout updates as you go.
Make it easy to type
Hyphens or spaces between the words make a long passphrase easier to read and type without mistakes. Use whichever you find easier, or none if a system refuses them. The capital and number toggles are there only for sites that demand them.
Type it a few times
Press Generate until you have one that sticks in your mind, then copy it where you need it. Type it out by hand a few times in the first day so your fingers learn it. This is one of the few passwords worth memorising.
Why this is safe
A passphrase tool is only as trustworthy as what it does with the passphrase. This one is built to do as little as possible.
Every passphrase is made on your device using the browser’s secure random generator, the same kind of randomness used for encryption keys, with each word chosen by an unbiased draw from the list. It is shown on screen and put on your clipboard when you ask, and that is all. There is no server in the loop, no account, no logging, and nothing written to storage. Close the tab and the passphrase is gone unless you saved it yourself.
The strongest proof is simple: turn off your connection and the tool still works, because there was never anything to send.
A passphrase is for the password you must type from memory, so its home is your head, not a note on your phone. Set up your vault master password or disk key with it, then learn it by typing. If you must write it down while it beds in, keep that note on paper somewhere only you can reach, and destroy it once the passphrase is in your memory.
Where the strength comes from
The strength readout shows bits of entropy, the honest measure of how hard a passphrase is to guess.
Each random word from this list adds about thirteen bits, so the work comes from the number of words, not from spelling tricks. Five random words put a passphrase well beyond what any computer can guess, and the meter will say so. A capital letter in a predictable place or a short number on the end barely moves the figure, because an attacker who knows the pattern gains almost nothing from it. If you want more strength, add a word.
This is the companion to a password manager, not a replacement for one. You use a passphrase for the few passwords you type from memory, and let the manager hold a long random password for every account behind it. The Lock and Key guide walks through setting up a vault that a passphrase like this one protects.
Common questions
The questions people ask before they trust a tool with a password they have to remember.
Is the passphrase saved or sent anywhere?
No. It is built in your browser using your device's secure random generator, shown only on screen, and never sent to any server or written to storage. Reload the page and it is gone. The copy button puts it on your clipboard for you to paste, and nothing more.
Why words instead of a random string?
Because you have to type this one from memory. A manager can remember a long random password for you, but it cannot remember the password to itself, and it cannot type the key to an encrypted disk before the disk is unlocked. Whole words are far easier to recall and type without mistakes than a jumble of symbols, and a handful of random words is as hard to guess.
How many words do I need?
Four random words from this list is a sensible floor, and five or six is strong for a vault master password you want to last for years. The strength readout shows the bits of entropy so you can see each word doing real work. Length comes from the number of words, not from clever spelling.
Does capitalising or adding a number help?
Hardly at all against a computer, and the readout reflects that. An attacker who knows the scheme gains almost nothing from a predictable capital letter or a two-digit number on the end. The toggles are there because some systems demand a capital or a digit, not because they make the passphrase meaningfully stronger. Add a word instead if you want more strength.
Where do the words come from?
From the Electronic Frontier Foundation's large wordlist, the same list used by the diceware method. It is chosen for words that are easy to say and type, with rare words, proper names and confusable spellings removed, and no word is a prefix of another. The list is bundled with this page, so the tool works with your connection turned off.
Should I reuse a passphrase?
No. Make a separate one for each thing you have to type from memory, so your vault, your disk key and your device login each have their own. Everything behind the vault gets a long random password from the Password Generator instead, which the manager remembers for you.
How is this different from the Password Generator?
The Password Generator makes a long random string for an account your manager logs into for you, so you never type it. This makes a passphrase for the few passwords you do type from memory. Different jobs: one is remembered by software, the other by you.
Words from the EFF large wordlist of 7,776 words, used under CC BY 3.0 US, bundled with this page so the tool runs entirely on your device.