Skip to content
browserutils
How-to

How to Create a Strong Passphrase

Generate a memorable, high-entropy passphrase using the diceware method. Learn how many words to use, what wordlist to pick, and how to store it safely.

5 steps
  1. 1

    Open the passphrase generator

    Open the BrowserUtils Passphrase Generator. Everything runs in your browser using the Web Crypto API — your generated passphrase never touches a server.

  2. 2

    Pick a word count

    Use 4 words for casual accounts, 5 for sensitive accounts, and 6 or more for master passwords (password manager, full-disk encryption, SSH key).

  3. 3

    Choose a separator

    Spaces, hyphens, or dots all work. Pick whatever your target system accepts and whatever you find easiest to type. Hyphens are common because they survive autocorrect on mobile.

  4. 4

    Generate and read it aloud

    Hit generate. Read the passphrase aloud once or twice — saying it forces your brain to encode it. If a word feels awkward, regenerate. Reroll cost is zero.

  5. 5

    Store it safely

    If this is a password-manager master passphrase, write it on paper and store the paper somewhere secure (a safe, a sealed envelope at home). For everything else, save it in a password manager.

A strong passphrase is the cheapest, most effective security upgrade you can give yourself. Properly generated, a six-word passphrase is mathematically out of reach of every adversary on Earth — yet it’s something a human can memorize in an afternoon. The Passphrase Generator handles the random selection for you using a cryptographic RNG and the EFF long wordlist.

Why generate, not pick

The single most important rule: don’t choose the words yourself. Humans are bad at randomness. We cluster around common nouns (“dog”, “house”, “happy”), avoid repetition, and unconsciously favor words that sound nice together. A self-picked four-word passphrase often has 20 bits of entropy, not the 51 bits you’d get from a properly random sample. Use a generator backed by crypto.getRandomValues() (or roll dice).

How many words is enough?

Each word from the standard 7,776-word EFF wordlist contributes about 12.9 bits of entropy. Stack them and the security adds up multiplicatively:

  • 4 words (~51 bits): fine for routine accounts that don’t gate anything sensitive
  • 5 words (~64 bits): appropriate for email, banking, work logins
  • 6 words (~77 bits): the recommended minimum for password-manager master passphrases and full-disk encryption keys
  • 7+ words: paranoia tier — strong even against state-level adversaries with dedicated hardware

For context: 77 bits of entropy means an attacker running a trillion guesses per second would need about 5 million years to enumerate the space. There is no need to go higher unless you’re protecting nuclear secrets.

Tips and best practices

  • Don’t substitute leet-speak. Adding ! and 1 doesn’t help — attackers know to test those mutations. Add a word instead.
  • Don’t reuse passphrases across services. A breach at one site exposes everywhere you used the same passphrase. Use a password manager for non-master credentials and let it generate per-site random strings.
  • Choose your wordlist deliberately. Short wordlists (~2,000 words) have ~11 bits per word; the EFF long wordlist (~7,776 words) has ~12.9. The difference is small but real — 6 words from the EFF list is meaningfully stronger than 6 words from a smaller list.
  • Type it a few times immediately after generating. Muscle memory is the most reliable way to keep a passphrase in your head. Type it five or ten times right after you generate it, before you’ve had a chance to forget.
  • Don’t share it. Even with someone you trust. Share access through your password manager’s sharing feature, never the passphrase itself.

When to use a passphrase vs a random password

Use a passphrase for anything you have to type from memory: your password manager’s master passphrase, your laptop login, full-disk encryption keys, SSH key passphrases. For every other account — Twitter, your bank, your email — let your password manager generate a long random string. You won’t memorize those, and you don’t need to.

If you’re not sure whether your passphrase is strong enough, paste it into the Password Strength Checker — it estimates entropy and how long the passphrase would take to crack with realistic attacker hardware. For password-manager-style random strings, use the Password Generator instead. To learn more about the underlying concept, see the passphrase glossary entry.

Try it now

Open Passphrase Generator

Use the Passphrase Generator tool directly — no sign-up needed. Runs entirely in your browser.

Open Passphrase Generator