Random Memorable Password Generator
Why memorable passwords?
Memorable passwords (also called passphrases) combine random words into a sequence that's easy for humans to remember but hard for computers to guess. The concept was popularized by the famous "correct horse battery staple" example from XKCD.
Instead of memorizing x7#Kp!2mR, you remember bold-reef-calm-pike-dawn. Both are secure, but one is dramatically easier to type and recall.
Passphrase strength
This generator uses a word list of 1,024 words, giving 10 bits of entropy per word. Strength scales with the number of words:
| Words | Entropy | Possible combinations | Time to crack |
|---|---|---|---|
| 3 words | 30 bits | ~1 billion | Seconds |
| 4 words | 40 bits | ~1 trillion | Minutes |
| 5 words | 50 bits | ~1 quadrillion | Years |
| 6 words | 60 bits | ~1.2 × 10¹⁸ | Centuries |
| 8 words | 80 bits | ~1.2 × 10²⁴ | Millennia |
Crack times assume an attacker knows the word list and tries 100 billion combinations per second.
Use cases
- Master password for your password manager
- Full-disk encryption passphrase (FileVault, BitLocker, LUKS)
- Passwords you need to type frequently by hand
- Shared Wi-Fi passwords that guests need to enter manually
- Account passwords when you don't use a password manager
- Backup recovery phrases for important accounts
How it works
- Your browser generates cryptographically secure random values using the Web Crypto API
- Each value selects a word from a curated list of 1,024 common English words
- Words are joined with your chosen separator to form a passphrase
- The passphrase exists only in your browser — nothing is sent to any server
Frequently asked questions
How many words should I use?
At least 5 words for everyday accounts (50 bits), 6–7 words for sensitive accounts (60–70 bits), and 8+ words for master passwords and encryption keys (80+ bits).
Is a passphrase as secure as a random character password?
It depends on length. A 5-word passphrase (50 bits) is weaker than a 16-character random password (~95 bits), but a 10-word passphrase (100 bits) exceeds it. The tradeoff is memorability — passphrases are far easier to remember and type.
Does it matter if the word list is public?
No. The security comes from the randomness of word selection, not the secrecy of the list. Even if an attacker knows the exact 1,024-word list, they still need to guess the specific combination — and with 5 words, there are over 1 quadrillion possibilities.
Which separator should I use?
Hyphens (-) are the most common and easiest to type. Periods work well for systems that reject hyphens. Spaces are natural but some systems don't allow them. The separator adds negligible entropy — word count is what matters.
The XKCD method
In 2011, Randall Munroe's XKCD comic #936 illustrated that a passphrase like "correct horse battery staple" (44 bits) is both stronger and more memorable than a typical "complex" password like "Tr0ub4dor&3" (28 bits).
The key insight is that humans dramatically overestimate the randomness of their "clever" substitutions (@ for a, 0 for o, ! at the end), while underestimating the combinatorial explosion of randomly chosen words. Attackers know all the common substitution patterns — they don't know which 5 words you randomly selected from a list of 1,024.
Privacy and security
Your generated passphrases never leave your device. This tool runs entirely in your browser using client-side JavaScript — no API calls, no server logs, no cookies, and no tracking of generated passwords. The source code is fully transparent and can be inspected in your browser's developer tools.