Memorable passphrases from random words — generated entirely in your browser.
crypto.getRandomValues) from a
curated list of 7,776 English words
(EFF Diceware list).
One word is fully capitalized, one gets a number, one gets a special character.
No data leaves your browser.
Most people create passwords like P@ssw0rd! or Summer2024! — they feel secure because they have symbols and numbers. But attackers know exactly how humans think. They know you'll replace "a" with "@" and "o" with "0." They know you'll put the capital at the start and the symbol at the end. Cracking tools try these predictable patterns first, and they work fast.
A passphrase like crayon4fragrance!VINEYARD is different. The security comes from the number of randomly chosen words, not from clever character tricks. When a computer picks 3 words at random from 7,776 options and adds capitalization, a number, and a symbol, an attacker has to try an enormous number of combinations — even if they know which word list you used and exactly how the tool works. The math is on your side.
On top of that, every online service worth using has protections that make guessing even harder. Gmail, your bank, social media — they all limit how fast someone can try passwords. After a handful of wrong guesses, the account locks, a CAPTCHA appears, or the attacker gets blocked entirely. So those enormous combinations? An attacker doesn't even get to try most of them.
The bonus: you can actually remember it. Picture a crayon drawing a fragrance bottle in a vineyard, and you've got a mental image that sticks. Try doing that with xK#9m2!qL.
| Words | Best for | Why |
|---|---|---|
| 3 Recommended | Most accounts — email, social media, banking, shopping, work logins | ~51 bits of entropy. Combined with brute-force protections every online service already has (lockouts, rate-limiting, CAPTCHA), this is effectively uncrackable for online attacks. Fast to type and easy to remember. |
| 4 | Extra margin — when you want more headroom, or for accounts you're especially cautious about | ~64 bits. Adds ~8,000x more combinations. Good if you want peace of mind beyond what 3 words already provides. |
| 5+ | Offline attack targets — password manager master password, full-disk encryption, anything where an attacker could crack the hash without rate-limiting | ~77 bits. For situations where there's no server to block guesses — the attacker has your encrypted file and can throw GPUs at it. This is where extra words genuinely matter. |
Tip: Adding a separator (hyphen, period) between words, or tossing in one extra number or symbol, further increases strength without hurting memorability. The generator already adds a number and special character automatically.
Not every site lets you use whatever password you want. Here's how to handle the common restrictions without giving up passphrase security.
No problem. The strength of your passphrase comes from the random words, not from the symbols between them. Just run the words together: crayonfragranceVINEYARD4. Or use a number as a separator: crayon7fragrance2vineyard.
Either approach is still far stronger than a short complex password like Tr0ub4d!.
The generator's output already works — the special character is appended to one word, not used as a separator. If the site rejects it, just delete that one character.
Same idea: strip the special character and you're fine. A 3-word passphrase with just letters and a number is still ~49 bits of entropy. Example: CRAYONfragrance4vineyard.
Generate a passphrase, then manually remove the symbol character (!, @, #, or $) before pasting. The remaining passphrase is still very strong.
This is the toughest restriction and it's worth being honest: a short character limit forces a real tradeoff. Here's how to get the most security within a tight limit:
Turn on "Short Words Only" in the settings above. This limits the generator to 3–5 letter words, making it much easier to hit a tight character limit. Set the Maximum Length field to the site's limit.
If 4 words won't fit, drop to 3. Add a number or allowed symbol to recover some entropy. Example that fits in 16 characters: ACE5fog$yarn.
A 12-character limit with no special characters is a genuinely bad policy and you're not doing anything wrong — the site is making security harder. If the account is important (banking, etc.), use the longest password the site allows, store it in a password manager rather than memorizing a compromised passphrase, and enable two-factor authentication if available.
Good news: the generator already handles this automatically. Every passphrase it creates has one fully capitalized word, one word with a number, and one word with a special character. You'll pass the rules without changing a thing.
Example: crayon4FRAGRANCE!vineyard has uppercase (FRAGRANCE), a number (4), and a symbol (!) — every box checked, and it's still easy to remember.