XKCD Password Generator
Generate secure, memorable passphrases using Diceware
For word lists and pitfalls, see how to create a memorable password.
Passphrase Generator
Generate secure, memorable passphrases using Diceware
π‘οΈ Math Check: ~51.6 Bits of Entropy. Secure against online attacks.
Privacy-First by Design
Client-side generation powered by Web Crypto. Transparent, open source code you can audit anytime.
Why Random Words Beat Complex Passwords
In 2011, the webcomic XKCD #936 demonstrated something counterintuitive: a password like "correct horse battery staple" is both easier to remember AND harder to crack than "Tr0ub4dor&3".
The math is simple:
- Tr0ub4dor&3 β ~28 bits of entropy β crackable in days
- correct horse battery staple β ~44 bits of entropy β would take centuries
This generator uses the Diceware method with the EFF wordlist to create truly random word combinations. Each word adds approximately 12.9 bits of entropy, making a 4-word passphrase significantly stronger than most "complex" passwords.
When to Use Passphrases
- Password manager master passwords
- Device encryption passwords
- Any password you need to type frequently
- Accounts where you can't use a password manager
For accounts managed by a password manager, use our random password generator insteadβthose can be as complex as needed since you won't memorize them.
Other Tools
Need a different type of security code? Check out our other generators:
- Random Password Generator - Generate cryptographically secure random passwords
- WiFi Password Generator - Create strong WPA2/WPA3 router passwords
- What is Password Entropy? - Learn about password strength and entropy
Cryptographically Secure
Uses Web Crypto API's crypto.getRandomValues() for true randomness. No pseudo-random number generators.
Client-Side Only
All password generation happens in your browser. No data is sent to our servers or stored anywhere.
Open Source
Transparent codebase you can audit anytime. Browse the GitHub repo β
Your Privacy is Protected
We don't collect, store, or transmit any data. Your passwords are generated locally in your browser using industry-standard cryptographic functions. No tracking, no analytics, no data collection.