All tools

Passphrase Generator

Security

Generate strong, memorable passphrases from random words with live entropy.

Generated locally in your browser — passphrases are never sent to a server.

Generated passphrase

StrengthFair

Add a word or two for important accounts.

4

Words

Length

43.4 bits

Entropy

Options

Presets

Separator

About the Handiwork Passphrase Generator

The Passphrase Generator builds strong yet memorable passwords from random everyday words — the “diceware” approach made famous by the XKCD “correct horse battery staple” comic. Choose how many words to use, pick a separator, and optionally capitalize words or add a random number. A live entropy readout shows exactly how strong each passphrase is. Everything is generated locally in your browser using a cryptographically secure random number generator, so nothing you create ever leaves your device.

How to use the Handiwork Passphrase Generator

  1. Pick a preset (Memorable, Strong, Simple, or PIN words) or set the number of words with the slider.
  2. Choose a separator and toggle capitalization and a random number to suit the site’s rules.
  3. Check the entropy and strength meter, then copy your passphrase. Use the refresh button for a new one.

Why passphrases beat complex passwords

A string like “Tr0ub4dor&3” is hard for humans to remember but surprisingly easy for computers to crack. A passphrase of four to six random words is the opposite: it is long, easy to recall, and has enough entropy to resist brute-force attacks. Because the words are chosen randomly from a large list — not picked by you — each one adds a predictable, measurable amount of unpredictability.

How many words should I use?

Each random word from our list adds roughly the same amount of entropy, so more words means more security. Four words is a good baseline for everyday accounts, while five or six is recommended for email, banking, and your password manager’s master password. The entropy readout updates live so you can see the trade-off between memorability and strength as you adjust the word count.

Separators, capitals, and numbers

Separators (hyphens, dots, underscores, or spaces) make a passphrase easier to read and can satisfy sites that require special characters. Capitalizing the first letter of each word and adding a random digit help meet common composition rules without meaningfully hurting memorability. These extras add a little entropy, but the bulk of a passphrase’s strength still comes from the number of random words.

Generated privately in your browser

Passphrases are created with the Web Crypto API’s secure random generator and never sent anywhere. Only your option preferences are saved locally for convenience. When you are done, store the passphrase in a reputable password manager and use a unique one for every account.

Frequently asked questions

What is a passphrase?

A passphrase is a password made of several random words, such as “maple-river-orbit-candy”. It is long enough to be very secure, yet far easier to remember and type than a random string of symbols.

Are passphrases actually secure?

Yes, when the words are chosen randomly from a large list, as they are here. A four-to-six word passphrase has high entropy and resists brute-force and dictionary attacks. The live entropy readout shows the strength of each one in bits.

Is this passphrase generator private?

Completely. Passphrases are generated locally in your browser using a cryptographically secure random number generator and are never transmitted, logged, or stored on a server. Only your preferences are saved on your device.

How many words should my passphrase have?

Use at least four words for everyday accounts and five or six for high-value logins like email, banking, and your password manager. The entropy meter helps you pick a length that balances security and memorability.

Should I add numbers or capital letters?

They help satisfy sites that require a mix of character types and add a small amount of entropy. The biggest factor in strength is still the number of random words, so prioritize adding words over symbols.

All security tools