HomeGeneratorsSecurityPassphrase Generator

Passphrase Generator

Security

Generate strong, memorable passphrases from a curated word list. Customise word count, separator, and capitalisation — browser-based, no sign-up required.

What is a Passphrase?

A Passphrase Generator creates a sequence of random words drawn from a curated word bank and joins them with a separator of your choice — producing credentials like anchor-raven-maple-frost-62 that are both long enough to be strong and structured enough to be memorable. Unlike a conventional password where every character is independently random, a passphrase groups randomness into recognisable word chunks that the human memory is far better at retaining.

The idea was popularised by XKCD comic 936 ("correct horse battery staple"), which illustrated that four random words are simultaneously easier to remember and mathematically harder to brute-force than a short mixed-character string. The key word is random — passphrases only work when the words are chosen by a truly random process, not by a person. Humans gravitate toward words from a narrow vocabulary slice (pets, places, films) and combine them in predictable ways, which undermines security. This generator eliminates that bias by drawing each word from a 256-word bank using the cryptographically secure crypto.getRandomValues() API.

Each word in the bank contributes exactly 8 bits of entropy — a clean measure based on the 256-word pool size (log₂(256) = 8). A 4-word passphrase therefore provides 32 bits; a 5-word passphrase provides 40 bits; a 6-word passphrase provides 48 bits. Appending the optional 2-digit random number adds a further 6.5 bits. For high-value credentials such as a password manager master key, choose 6 or more words.

For random character-dense credentials such as API keys or system passwords, the Password Generator remains the right tool. For unique technical identifiers, the UUID Generator is more appropriate. A passphrase is specifically designed for credentials a person needs to type or recall directly.

How to use this Passphrase calculator

  1. Set Number of Words to the word count you need — 4 for quick accounts, 6 or more for a master password.
  2. Choose a Separator from the dropdown that matches the rules of the site or system you're signing up for.
  3. Toggle Capitalise Each Word on if the site requires at least one uppercase letter.
  4. Toggle Append a Random Number on (it is on by default) if the site requires a digit.
  5. Click Generate — the passphrase appears immediately in the Generated Passphrase output box.
  6. Click the copy button to copy the passphrase to your clipboard in one click.
  7. Paste it into the password field and save it in your password manager before closing the tab.

Formula & Methodology

The generator maintains a curated bank of 256 common English words — nouns and adjectives, 4–8 characters each, chosen for memorability and unambiguous pronunciation. The bank size of 256 = 2⁸ gives a clean 8 bits of entropy per word, making strength calculations straightforward.

Word selection: each word is drawn using crypto.getRandomValues() to fill a Uint32Array. Rejection sampling is applied — any value outside the largest multiple of 256 that fits in a 32-bit integer is discarded and resampled — eliminating the modulo bias that would otherwise make certain words marginally more likely than others.

Number selection: the optional two-digit number (10–99) is drawn with the same rejection-sampling approach over the range [10, 99], contributing log₂(90) ≈ 6.5 additional bits of entropy.

Full entropy table (with number appended):

| Words | Entropy (words only) | Entropy (+ number) |
|---|---|---|
| 3 | 24 bits | ~30.5 bits |
| 4 | 32 bits | ~38.5 bits |
| 5 | 40 bits | ~46.5 bits |
| 6 | 48 bits | ~54.5 bits |
| 7 | 56 bits | ~62.5 bits |

All generation runs entirely in your browser — nothing is transmitted to any server at any point.
Frequently Asked Questions
What is a passphrase?
A passphrase is a sequence of random words joined by a separator — for example, 'grape-anchor-shark-76' or 'river.noble.falcon.52'. Unlike a conventional password that combines random characters, a passphrase gains strength from length: each additional word multiplies the number of possible combinations while keeping the result something a human can actually remember or type.
What is the difference between a passphrase and a password?
A password is typically a short, dense string of mixed characters (uppercase, lowercase, numbers, symbols) that is hard to remember. A passphrase is a longer sequence of ordinary words that is easier to recall but achieves comparable or greater security through sheer length. 'Grape-anchor-shark-76' is longer and harder to brute-force than 'Gr@p3!' even though it feels more readable.
How random are the passphrases generated here?
Every word is selected using the browser's Web Crypto API (crypto.getRandomValues), a cryptographically secure random source — the same class of randomness used for encryption keys. Rejection sampling is applied to eliminate modulo bias, so every word in the 256-word bank has exactly equal probability of appearing. Nothing is derived from your device, your IP, or the current time.
How many words should my passphrase have?
With this tool's 256-word bank (8 bits of entropy per word), a 4-word passphrase yields 32 bits of entropy — adequate for low-stakes accounts. 5 words gives 40 bits and 6 words gives 48 bits, which is strong for most personal use. Add the optional random number (+6.5 bits) for extra margin. For master passwords or encryption keys, choose 7 or more words.
How do I generate a passphrase?
Set Number of Words to the count you want (3–10), choose a Separator from the dropdown, toggle Capitalise Each Word and Append a Random Number on or off, then click Generate. The passphrase appears in the output box immediately. Click the copy button to copy it to your clipboard.
Can I customise the separator between words?
Yes — the Separator dropdown offers five options: hyphen (word-word), space (word word), dot (word.word), underscore (word_word), or none (wordword). Choose the one that matches the rules of the system you're creating a credential for. Some services reject spaces in passwords; hyphens and dots are universally accepted.
What does the 'Append a Random Number' option do?
When enabled (the default), a two-digit number between 10 and 99 is appended after the last word, also separated by your chosen separator. This adds approximately 6.5 bits of additional entropy and satisfies the 'must contain a number' requirement that many sites enforce, without requiring you to memorise where the number falls within the phrase.
Is this passphrase generator safe to use?
Yes — generation happens entirely inside your browser using the Web Crypto API. No word selections, no passphrases, and no form inputs are ever sent to a server. The tool has no backend, no logging, and no analytics tracking individual outputs. Closing the tab removes any trace of what was generated.
Are generated passphrases stored anywhere?
No. The passphrase exists only in your browser's memory for as long as the tab is open. Once you copy it and navigate away, it is gone. There is no server-side storage, no account required, and no history of previous generations.
Can the same passphrase be generated twice?
It is mathematically possible but practically negligible. A 4-word passphrase drawn from 256 words has 256⁴ = about 4.3 billion possible combinations; with a 2-digit number appended, that rises to roughly 387 billion. The probability of any two users generating the exact same passphrase is vanishingly small, and the tool has no memory of previous outputs.
Should I use a passphrase or a traditional password?
For accounts you type manually and need to remember — like a password manager master key, a device unlock PIN, or an email login — a passphrase is often the better choice: it is longer (more entropy) and easier to recall. For everything else, generate a unique random password with the [Password Generator](/password-generator/) and store it in a password manager. You do not need to memorise passwords your manager stores for you.
Can I use a passphrase for my email or bank account?
Yes — most modern login forms accept passphrases, though a few older systems cap password length at 16–20 characters, which may truncate a long phrase. Check the site's password rules before using one. For technical credentials like API tokens and database passwords, the [UUID Generator](/uuid-generator/) or [Password Generator](/password-generator/) may be more appropriate formats.

Related Calculators

security
Password Generator
Generate strong, random passwords with customisable length and charact
dev
UUID/GUID Generator
Generate RFC 4122 version 4 UUIDs (GUIDs) instantly for development an