Passphrase Generator

Memorable, high-entropy word passphrases. Nothing leaves your browser.

Click generate...
0 bits

Wordlist: 1879 common English words, 3-7 letters each. Selection uses the Web Crypto API.

How to use it

  • Pick a word count. Six or seven words is the sweet spot between memorability and strength.
  • Choose a separator your target site accepts. Hyphens are safe almost everywhere.
  • If a site demands a digit or symbol, toggle those on. The result still reads as words.
  • Read the passphrase out loud once or twice to commit it to memory before pasting it into your password manager.

Frequently asked questions

Why use a passphrase instead of a random password?

Passphrases pair high entropy with human memorability. Four to seven random common words are far easier to remember than a 16-character mixed string and, with enough words, just as hard for attackers to guess.

How many words should I use?

Six or seven words from a multi-thousand word list is the modern recommendation for sensitive accounts. A seven-word passphrase from our 1879-word list gives roughly 76 bits of entropy, comparable to a six-word Diceware passphrase.

Are the words really random?

Yes. Word selection uses crypto.getRandomValues from the Web Crypto API with rejection sampling to avoid modulo bias. There is no predictable seed.

Should I add numbers or symbols?

It is not strictly necessary if you use enough words, but many sites require at least one digit and one symbol. The optional add-ons here satisfy those rules without harming memorability.

Is the passphrase sent to a server?

No. Everything happens locally in your browser. Nothing is uploaded, logged, or stored by ChrysoKit.

Why four random words beat P@ssw0rd!

Security is measured in entropy: how many possibilities an attacker must try. A passphrase of four words drawn uniformly from a 7,776-word list (the Diceware standard) has 7776^4 = 3.6 x 10^15 combinations, about 51.7 bits... and each added word contributes another 12.9 bits, multiplying the work by 7,776. The crucial condition is random selection: "correct horse battery staple" style phrases derive their strength from the dice, not the words. A phrase you composed yourself ("ilovemydog2024") follows human patterns that cracking software models directly, and carries a fraction of the entropy its length suggests.

Sizing the phrase to the job

  • 4 words: reasonable for low-stakes accounts behind rate limiting.
  • 5 words (about 64 bits): a solid general-purpose target.
  • 6-7 words (77-90 bits): appropriate for the credentials that protect everything else... your password manager's master password and your primary email. These are typed regularly, which is exactly where memorability pays.
  • Separators and a capital letter or digit help satisfy legacy complexity rules without meaningfully changing the math.

The honest comparison with random-character passwords

Character-for-character, random gibberish is denser: a 14-character random password (about 90 bits) matches a 7-word phrase. The difference is human: the phrase can actually be remembered and typed on a phone keyboard. The professional pattern uses both... one strong memorised passphrase guarding a password manager, and the manager generating unique random passwords for every other account. Memorise one thing; let software remember the rest.

Passphrases and non-English keyboards

A practical detail for multilingual users: passphrases are typed often, and a phrase fighting your keyboard layout gets resented. English wordlist phrases type cleanly on any layout, including Greek keyboards in Latin mode, and survive the worst environments... hotel business centres, TV on-screen keyboards, a borrowed phone... where symbol-heavy passwords become archaeology. If a service or your own preference calls for separators, hyphens and digits are layout-stable worldwide; symbols like @ and # migrate between keys across layouts and are best avoided in anything typed while travelling. The strength lives in the word count, so spending the convenience budget on typability costs nothing.

Advertisement