Diceware Passphrase Generator
Generate passphrases from a curated word list. Pick the number of words, separator, and case style. Memorable and high-entropy.
Add this tool to your own site with one line of HTML. Free forever — just keep the small credit link.
How to use Passphrase Generator
- Choose how many words you want. Five or more is a sensible default for a strong passphrase.
- Pick a separator (a hyphen, space, or any character) and a case style — lowercase, Title Case, or UPPER.
- Optionally append a two-digit number for sites that insist on a digit.
- Click the refresh button to draw a new set of words from a cryptographically secure random source.
- Check the entropy readout, then copy the passphrase. It is generated entirely in your browser.
Why a few random words beat a complicated password
A passphrase is a password made of several random words — willow-cobalt-meadow-quartz instead of X7#kq!2P. It feels less "secure" because it is readable, but that intuition is backwards. Passphrases can carry just as much entropy as symbol soup while being dramatically easier to remember and to type, which is exactly why security researchers and the EFF recommend them.
The Diceware idea, automated
The technique behind this generator is Diceware, devised by Arnold Reinhold. The original method has you roll physical dice to choose words from a numbered list, so the selection is provably random and free of human bias. We replace the dice with crypto.getRandomValues(), the browser's cryptographically secure random number generator, drawing each word independently and uniformly from the list.
Where the entropy comes from
The strength of a passphrase is governed by one formula: words × log2(list size). Critically, the entropy depends on the size of the list and how many words you pick — not on the specific words that appear. Here is how that scales for a representative word list:
Per word from a 100-word list: log2(100) ≈ 6.6 bits
Per word from a 7,776-word list: log2(7776) ≈ 12.9 bits
4 words from a large list: 4 × 12.9 ≈ 52 bits
5 words from a large list: 5 × 12.9 ≈ 64 bits
6 words from a large list: 6 × 12.9 ≈ 77 bitsThe live entropy readout in the tool reflects this same math for the built-in list, so you can watch strength climb with every word you add.
A public word list is not a weakness
It can feel wrong that the word list is openly known, but that is by design. Real cryptographic security follows Kerckhoffs's principle: a system should stay secure even when everything about it except the key is public. Here the "key" is the random choice of words. An attacker who knows the entire list still has to contend with the full set of equally likely combinations — a secret list would add no protection at all.
Choosing a length that fits the job
- 4 words — fine for low-value, throwaway logins.
- 5 words — a strong, comfortable everyday default.
- 6+ words — for a password-manager master password or anything that, if breached, unlocks everything else.
Adding a word multiplies the attacker's effort far more than sprinkling in symbols does, so when in doubt, lengthen the phrase rather than complicate it.
Related security tools
- Password Generator — when an account wants a random character string rather than words.
- Password Strength Checker — type a phrase in to see the word count translate into bits of entropy.
- OTP Generator — add a time-based second factor on top of the account this passphrase protects.
Frequently asked questions
Why choose a passphrase over a random password?
What is Diceware?
How is the entropy calculated?
Does it matter that the word list is public?
How many words should I use?
Should I add capital letters, numbers, or symbols?
Is the passphrase generated privately?
Where should I store my passphrase?
Related tools
More tools you might find useful in the same flow.
Password Generator
Free password generator using your browser's SubtleCrypto. Pick length, character classes, and exclude lookalikes. Passwords never leave the page.
Password Strength
Password strength meter — estimate how long a password would take to crack and get tips to harden it. Checks run locally; nothing is ever sent anywhere.
TOTP Generator
TOTP generator online — create RFC 6238 time-based one-time passwords from a secret key, with a live countdown. The secret never leaves your browser.
API Token Generator
Random token generator — create secure API keys, session IDs, and secrets in hex or Base64URL using crypto-grade randomness. Free, made in your browser.
Built by Muhammad Tahir · About