Generate Memorable Passphrases That Are Easy to Remember, Hard to Crack
Privacy-first, 100% client-side passphrase generation
Your Passphrase
Generating your passphrase...
Passphrase Strength
Customization Options
⚠️ Security & Privacy Notice
For informational purposes only. While we use cryptographically secure random generation, passphrases should not be relied upon for critical security decisions without proper security audits.
Privacy: All generation happens locally in your browser. No data is sent to servers. History is stored in your browser's IndexedDB only.
Best Practices: Use unique passphrases for each account, store them in a password manager, and enable two-factor authentication wherever possible.
🔒 Web Crypto API
This tool uses the browser's built-in crypto.getRandomValues() API to generate cryptographically secure random numbers. This is the same technology used by password managers and security applications to ensure true randomness.
Unlike Math.random() which is predictable, the Web Crypto API uses your operating system's secure random number generator, making it impossible to predict which words will be selected.
📚 Wordlists
We use three carefully curated wordlists:
- EFF Long Wordlist - 7,776 carefully selected words, each 5-8 characters long, providing ~12.9 bits of entropy per word
- EFF Short Wordlist - 1,296 shorter words (3-5 characters), easier to type but with ~10.3 bits of entropy per word
- Diceware Wordlist - The original 7,776-word list created by Arnold Reinhold in 1995, providing ~12.9 bits of entropy per word
All wordlists avoid ambiguous words, profanity, and offensive terms. Words are loaded from local JSON files and never sent to any server.
🔐 Privacy & Security
- 100% Client-Side: All generation happens in your browser. No server communication.
- No Tracking: We don't use analytics, cookies, or tracking of any kind.
- Local Storage Only: History is saved in your browser's IndexedDB, never on our servers (we don't have servers!).
- Open Source: The code is transparent and can be audited for security.
Technical Details: Each word is selected by generating a cryptographically secure random number, then using that number to index into the wordlist. For a 5-word passphrase with the EFF Long Wordlist (7,776 words), there are 7,7765 = 28.4 quintillion possible combinations, providing 64.6 bits of entropy.
100% Client-Side Generation
More Password Tools
Explore our specialized password generators optimized for different use cases:
Compare password policies with textdiff.io for text comparison.
Frequently Asked Questions
Traditional password generators create random character strings like "xK9!mP2@qL" that are hard to remember. PassphraseForge generates memorable phrases like "correct-horse-battery-staple" using real words. Passphrases are both easier to remember and more secure due to their length.
Recommendations by account type:
- Critical accounts (email, password manager): 6-7 words (78-90 bits entropy)
- High security (banking, financial): 5-6 words (65-78 bits entropy)
- Medium security (social media, shopping): 4 words (52 bits entropy)
- Low security (throwaway accounts): 3 words (39 bits entropy)
More words = exponentially more secure. Each additional word multiplies security by 7,776×!
Yes! The security comes from cryptographically random selection, not word obscurity. The EFF Long Wordlist has 7,776 words, so a 4-word passphrase has 7,7764 = 3.7 trillion combinations. That's the same as a 10-character random password using letters, numbers, and symbols.
Key insight: "umbrella-cricket-diamond" is just as unpredictable as "xK9!mP2@qL" because both were chosen randomly. The difference is one is memorable and the other isn't!
Absolutely not! PassphraseForge runs 100% in your browser. Your passphrase never leaves your device.
How to verify: Open your browser's Developer Tools (F12), go to the Network tab, and generate a passphrase. You'll see zero network requests. The entire generation happens locally using the browser's built-in crypto.getRandomValues() API.
We don't use analytics, tracking, or any external services. Your privacy is paramount.
Entropy measures the randomness (unpredictability) of your passphrase in bits. More entropy = harder to crack. Each bit doubles the number of possible combinations.
- 40 bits = 1 trillion combinations (weak, crackable in days)
- 52 bits = 4 quadrillion combinations (moderate, months to crack)
- 65 bits = 36 quintillion combinations (strong, centuries to crack)
- 78+ bits = practically uncrackable with current technology
A 5-word passphrase with the EFF Long Wordlist provides ~65 bits of entropy — far stronger than most "complex" passwords like "P@ssw0rd123!" (which only has ~28 bits).
Separators improve readability without significantly affecting security. The choice is mostly personal preference:
- Dashes (-): Most common, works everywhere, easy to type
- Spaces ( ): Most readable, but some systems don't allow spaces
- Dots (.): Clean look, accepted by most systems
- No separator: "correcthorsebatterystaple" — harder to read but valid
Pro tip: Use different separators for different account types to avoid confusion. For example: dashes for banking, dots for social media, spaces for personal accounts.
You can, but you probably shouldn't. Manual modifications often reduce security because humans are predictable. Common patterns like changing "correct" to "c0rrect" or adding "123!" at the end are exactly what attackers check first.
Better alternatives:
- Enable "Add Numbers" or "Add Symbols" options — adds random digits/symbols between words
- Use "Capitalize Words" if the system requires uppercase letters
- Generate a new passphrase until you get one you like
These options maintain cryptographic randomness while meeting specific requirements.
Create a mental story! Our brains are wired to remember narratives and images.
Example: For "umbrella-cricket-diamond-planet-wizard"
"An umbrella-wielding cricket found a diamond on a distant planet where a mysterious wizard lived."
The more vivid and silly the story, the easier it is to remember. Turn abstract words into a memorable movie scene in your mind!
Practice: Type it 10 times in a row. Repeat before bed for 3 nights. You'll never forget it.
All wordlists are secure, but they differ in word length and entropy per word:
EFF Long Wordlist (Recommended)
- 7,776 words (5-9 characters each)
- 12.9 bits of entropy per word
- Best for maximum security
- Example: "umbrella", "clockwork", "galaxy"
EFF Short Wordlist
- 1,296 words (3-5 characters each)
- 10.3 bits of entropy per word
- Easier to type, shorter passphrases
- Need 6 words to match 5 EFF Long words
- Example: "crop", "jazz", "myth"
Diceware Wordlist
- 7,776 words (original list from 1995)
- 12.9 bits of entropy per word
- Historical significance, same security as EFF Long
- Example: "cleft", "natal", "viral"
Recommendation: Use EFF Long Wordlist for the best balance of security and memorability.
YES! Absolutely! Strong passphrases protect against brute-force and dictionary attacks, but they can't protect against phishing or keyloggers.
Layered security:
- Strong passphrase = First line of defense against cracking attempts
- 2FA (TOTP/hardware key) = Second line of defense against phishing and stolen credentials
Together, they make your accounts virtually unbreakable. Enable 2FA on all critical accounts (email, banking, password manager) using apps like Google Authenticator, Authy, or hardware keys like YubiKey.
Why Are Passphrases Better?
Learn how passphrases are both more memorable and more secure than traditional passwords.