Doesn't the attacker know my word list?

**Passphrase security ASSUMES the attacker knows the word list** (**Kerckhoffs's principle**: security must not depend on hiding the algorithm). Those 45 bits already account for it. **The EFF/Diceware list is public** and passphrases remain unbreakable.

English words, fine for non-English speakers?

**Yes**. The word list itself is irrelevant, what matters is that words are picked randomly. English words are **short and easy to memorize** across languages. Entropy = **word count × log2(dictionary size)**, language-independent.

Does the passphrase reach the server?

**No**. The whole algorithm runs locally, the dictionary is bundled into the page, randomness from the **Web Crypto API**. **DevTools → Network** = no requests when generating.

How does a passphrase handle dictionary attacks?

**Dictionary attacks** try known passwords ("password", "Summer2024"). Your passphrase **"able-tank-wide-yarn-zone"** is a randomly generated combination, **not in any password list**. Only brute force, and at 50+ bits = **infeasible**.

Can I make up a passphrase by hand?

**Better not**. Human choices are **predictable** ("cute-puppy-sunset" is way more common than "able-cellular-disk"). Attackers know the patterns and try them first. **Cryptographic randomness** guarantees uniform distribution = 50 bits of entropy. **Hand-picked** is usually 25-30 bits, **weak**.

What if the service rejects spaces?

**Most accept** any ASCII character. Older forms sometimes reject spaces, **use a dash or underscore**. Some require **specific special characters**, turn on "append digit and symbol".

How many words should I pick?

Word count depends on account weight: - **5 words**: baseline for ordinary accounts (45 bits) - **6 words**: standard for banking, primary email (54 bits) - **7-8 words**: password manager master (60-70 bits) - **10 words**: for critical systems (root, crypto keys) **Above 7 words** the practical difference is small, already unbreakable.

Passphrase Generator - free

Generated passphrase48 bits of entropy

Word count5

Separator

Capitalization

Everything runs locally. Your passphrase never leaves the browser.

Are word-based passwords safe and how do I make one?

Passphrase generator: instead of random characters like "Kx9$gF#pR2vZ" you get "able-tank-wide-yarn-zone-2", easier to remember, equally strong cryptographically.

The Diceware/EFF algorithm: 5-7 words from a ~500-word list = 50-70 bits of entropy, practically unbreakable by brute force.

Perfect for password manager master keys, laptop login, dictating over the phone. The whole generation happens in your browser.

How to use it

Set the word count. 5-6 words is the standard (50-60 bits). 7+ for maximum security.

Pick a separator: dash (-), underscore (_), period (.) or space. If a service rejects spaces, use a dash.

Optional: uppercase (first letter of each word, or all), some sites require it.

Append a digit and/or special character at the end. Most corporate policies require it.

Click copy, paste straight into a password manager (1Password, Bitwarden, KeePassXC).

When this is useful

Five typical situations where a passphrase beats a random character string:

Password manager master password. You only memorize one, so a passphrase is perfect (long but readable).
Laptop or desktop login. You type it daily, much easier as a passphrase than random characters.
Encrypted disk password (LUKS, BitLocker, FileVault). Typed at every boot.
System admin password (root, sudo). Rarely used, but you have to remember.
PGP / GPG key passphrase. Valuable keys, password committed to memory.

For regular accounts in your password manager, use the random password generator, you don't memorize it, so readability doesn't matter.

Questions and answers

Yes. 5 words from a 500-word list = 5 × log2(500) ≈ 45 bits of entropy. Cracking time on a GPU cluster (10^11 attempts/s) ≈ 50 years. 6 words = 54 bits ≈ 10,000 years. Practically unbreakable.

Are word-based passwords safe and how do I make one?

Passphrase generator: instead of random characters like "Kx9$gF#pR2vZ" you get "able-tank-wide-yarn-zone-2", easier to remember, equally strong cryptographically.

The Diceware/EFF algorithm: 5-7 words from a ~500-word list = 50-70 bits of entropy, practically unbreakable by brute force.

Perfect for password manager master keys, laptop login, dictating over the phone. The whole generation happens in your browser.

How to use it

Set the word count. 5-6 words is the standard (50-60 bits). 7+ for maximum security.

Pick a separator: dash (-), underscore (_), period (.) or space. If a service rejects spaces, use a dash.

Optional: uppercase (first letter of each word, or all), some sites require it.

Append a digit and/or special character at the end. Most corporate policies require it.

Click copy, paste straight into a password manager (1Password, Bitwarden, KeePassXC).

When this is useful

Five typical situations where a passphrase beats a random character string:

Password manager master password. You only memorize one, so a passphrase is perfect (long but readable).
Laptop or desktop login. You type it daily, much easier as a passphrase than random characters.
Encrypted disk password (LUKS, BitLocker, FileVault). Typed at every boot.
System admin password (root, sudo). Rarely used, but you have to remember.
PGP / GPG key passphrase. Valuable keys, password committed to memory.

For regular accounts in your password manager, use the random password generator, you don't memorize it, so readability doesn't matter.

Questions and answers

Passphrase Generator

Are word-based passwords safe and how do I make one?

How to use it

When this is useful

Questions and answers

Related tools

Password Generator

Pwned Password Check

Password Hashes: MD5, SHA, bcrypt

Passphrase Generator

Are word-based passwords safe and how do I make one?

How to use it

When this is useful

Questions and answers

Related tools

Password Generator

Pwned Password Check

Password Hashes: MD5, SHA, bcrypt