Passphrase Generator

Strong passwords made of random characters are nearly impossible to memorize, which is why people end up with weak ones written on sticky notes.

This generator creates passphrases using the EFF wordlist — a 7,776-word dictionary specifically chosen for memorability and to avoid offensive or confusable words. Pick the number of words (4 minimum, 6 recommended for serious accounts), separator (space, dash, dot), and optional capitalization or numbers. The result is something like 'correct-horse-battery-staple-piano' — long, random, and hard to mistype.

A 6-word EFF passphrase has about 77 bits of entropy, which is well above the threshold where brute force becomes infeasible even with cluster hardware. Compare that to an 8-character random password (~52 bits), which falls in a few hours on rented GPU time. The math favors length over character variety, which is why passphrases are gaining ground in security guidance.

The entropy math: each random word from a 7,776-word list contributes log₂(7776) ≈ 12.92 bits. Six words = 77.5 bits. To brute-force a 77-bit passphrase at a billion guesses per second, you'd need on the order of 10¹³ years — comfortably longer than the age of the universe. Compare that to an 8-character random ASCII password (95 possible characters per position) which has log₂(95⁸) ≈ 52.5 bits, brute-forced at the same rate in a few months. Length, not character variety, is what makes passphrases strong.

The pain this addresses: password requirements that produce weak, unmemorable passwords. Sites demand 'at least 8 characters with a number, uppercase, lowercase, and symbol.' People comply with 'Password1!' Reuse it everywhere. Get one site breached and have all their accounts compromised. The right answer is unique, long, random secrets per site, stored in a password manager. But for the master password (the one that unlocks the manager), passphrases are the answer because you have to memorize that one.

Worked example: select 'six words, dash separator, no capitalization.' Output: 'truffle-vintage-octopus-canyon-firefly-bracket'. 77.5 bits of entropy. Memorable enough that you can recite it after a few uses. Long enough that no realistic adversary will brute-force it. Unique — the chance of any other person having generated this exact phrase is roughly 1 in 10²³, which is the chance of randomly picking the same atom from a small grain of sand twice in a row.

What goes wrong with weaker approaches: 'leetspeak' (p@ssw0rd → p@$$w0rd) adds essentially zero entropy because attackers' dictionaries already include those substitutions. Adding 'remember a fact about yourself' (your dog's name + birth year) gives you 12-15 bits at most, which is laughable to a serious attacker. The diceware-style approach (random words from a large list, plus separators) is the de-facto standard for human-memorable passphrases because it's the only one with provable entropy under realistic assumptions about how attackers actually work.