# How to Create a Strong Passphrase

> Generate a memorable, high-entropy passphrase using the diceware method. Learn how many words to use, what wordlist to pick, and how to store it safely.

- URL: https://www.browserutils.dev/how-to/create-strong-passphrase
- Published: 2026-07-03
- Updated: 2026-07-02

---

## Step 1: Open the passphrase generator

Open the BrowserUtils Passphrase Generator. Everything runs in your browser using the Web Crypto API — your generated passphrase never touches a server.

## Step 2: Pick a word count

Use 4 words for casual accounts, 5 for sensitive accounts, and 6 or more for master passwords (password manager, full-disk encryption, SSH key).

## Step 3: Choose a separator

Spaces, hyphens, or dots all work. Pick whatever your target system accepts and whatever you find easiest to type. Hyphens are common because they survive autocorrect on mobile.

## Step 4: Generate and read it aloud

Hit generate. Read the passphrase aloud once or twice — saying it forces your brain to encode it. If a word feels awkward, regenerate. Reroll cost is zero.

## Step 5: Store it safely

If this is a password-manager master passphrase, write it on paper and store the paper somewhere secure (a safe, a sealed envelope at home). For everything else, save it in a password manager.

A strong passphrase is the cheapest, most effective security upgrade you can give yourself. Properly generated, a six-word passphrase is mathematically out of reach of every adversary on Earth — yet it's something a human can memorize in an afternoon. The [Passphrase Generator](/tools/passphrase-generator) handles the random selection for you using a cryptographic RNG and the EFF long wordlist.

## Why generate, not pick

The single most important rule: **don't choose the words yourself**. Humans are bad at randomness. We cluster around common nouns ("dog", "house", "happy"), avoid repetition, and unconsciously favor words that sound nice together. A self-picked four-word passphrase often has 20 bits of entropy, not the 51 bits you'd get from a properly random sample. Use a generator backed by `crypto.getRandomValues()` (or roll dice).

## How many words is enough?

Each word from the standard 7,776-word EFF wordlist contributes about **12.9 bits of entropy**. Stack them and the security adds up multiplicatively:

- **4 words (~51 bits)**: fine for routine accounts that don't gate anything sensitive
- **5 words (~64 bits)**: appropriate for email, banking, work logins
- **6 words (~77 bits)**: the recommended minimum for password-manager master passphrases and full-disk encryption keys
- **7+ words**: paranoia tier — strong even against state-level adversaries with dedicated hardware

For context: 77 bits of entropy means an attacker running a trillion guesses per second would need about 5 million years to enumerate the space. There is no need to go higher unless you're protecting nuclear secrets.

## Tips and best practices

- **Don't substitute leet-speak.** Adding `!` and `1` doesn't help — attackers know to test those mutations. Add a word instead.
- **Don't reuse passphrases across services.** A breach at one site exposes everywhere you used the same passphrase. Use a password manager for non-master credentials and let it generate per-site random strings.
- **Choose your wordlist deliberately.** Short wordlists (~2,000 words) have ~11 bits per word; the EFF long wordlist (~7,776 words) has ~12.9. The difference is small but real — 6 words from the EFF list is meaningfully stronger than 6 words from a smaller list.
- **Type it a few times immediately after generating.** Muscle memory is the most reliable way to keep a passphrase in your head. Type it five or ten times right after you generate it, before you've had a chance to forget.
- **Don't share it.** Even with someone you trust. Share access through your password manager's sharing feature, never the passphrase itself.

## When to use a passphrase vs a random password

Use a passphrase for **anything you have to type from memory**: your password manager's master passphrase, your laptop login, full-disk encryption keys, SSH key passphrases. For every other account — Twitter, your bank, your email — let your password manager generate a long random string. You won't memorize those, and you don't need to.

If you're not sure whether your passphrase is strong enough, paste it into the [Password Strength Checker](/tools/password-strength-checker) — it estimates entropy and how long the passphrase would take to crack with realistic attacker hardware. For password-manager-style random strings, use the [Password Generator](/tools/password-generator) instead. To learn more about the underlying concept, see the [passphrase glossary entry](/glossary/passphrase).