Passphrase & Password Generator
Strong, memorable passphrases or random passwords — generated locally with the browser's cryptographic RNG.
Generated entirely in your browser with crypto.getRandomValues. Nothing you generate is sent, logged, or stored — reload and it's gone.
How it works
Both modes draw from crypto.getRandomValues — the operating system's cryptographically
secure random number generator, exposed to the browser — and use rejection sampling so
no character or word is even slightly more likely than another. Passphrase mode picks
whole words from a bundled list; its strength is the word count times the base-2 log of the list size, so
each added word contributes a fixed chunk of entropy. Password mode picks characters
from the sets you enable, guarantees at least one from each, then shuffles; its strength is length times
the base-2 log of the combined pool. The entropy readout updates live so you can dial in a target — aim
for 70 bits or more. Nothing is generated on a server; the wordlist ships inside the page.
FAQ
Is the randomness actually secure?
Yes. Every character and word is drawn from crypto.getRandomValues, the browser's
cryptographically secure random source, using rejection sampling so there's no modulo bias toward some
values. It is not Math.random, which is not safe for secrets.
Is a passphrase really stronger than a complex password?
Length wins. A handful of random words is easy to type and remember yet reaches high entropy because
the strength comes from the number of independent choices, not from mixing in symbols. Six random words
already outclass a short P@ssw0rd-style string — check either one in the
strength checker.
Where does the wordlist come from and is it private?
The wordlist is bundled into the page itself, so generation happens completely offline in your browser — no request is made and nothing you generate is logged or sent anywhere. The entropy shown is computed from the real length of that list.
From the channel
Secure Your Google Account Before Your Phone Gets Hijacked
Watch on The Exploit HQ — cyber threat intel in 60 seconds ▸
weekly kev brief
Patch what's actually being exploited.
One email a week: the vulnerabilities under active attack, prioritized — no noise.
Free. No spam. Unsubscribe anytime. Delivered by Beehiiv.