Free · Fast · Privacy-first

Generate a Passphrase Online

A passphrase is a sequence of random words such as correct-horse-battery-staple that is simultaneously memorable for humans and cryptographically strong against attackers.

Diceware-style random word selection

🔒

Configurable word count (4–8 words)

Separator customisation (-, space, none)

No sign-up required

Cost
Free forever
Sign-up
Not required
Processing
In your browser
Privacy
Files stay local
FreeNo signupWhite-label

Add this Password Generator to your website

Drop the Password Generator into any page — blog post, product docs, intranet, school portal — with a single line of HTML. Your visitors get the full tool, processed entirely in their browser. No backend, no uploads, no signup.

  • Files stay 100% in the visitor's browser
  • Responsive — adapts to any container width
  • Free forever, no API key needed

Embed code

<iframe
  src="https://www.fixtools.io/utilities/password-generator?embed=1"
  width="100%"
  height="780"
  frameborder="0"
  style="border:0;border-radius:16px;max-width:900px;"
  title="Password Generator by FixTools"
  loading="lazy"
  allow="clipboard-write"
></iframe>

Attribution-friendly: a small "Powered by FixTools" link appears in the embed footer.

Why Passphrases Beat Random Strings for Passwords You Must Remember

Human memory simply does not work well with arbitrary strings of mixed characters. A password like k7 hash Bz exclamation nine mWqL2pX has high entropy and would satisfy any complexity policy, but it is practically impossible for most people to memorise reliably, which forces them to either write it down on paper near the device it protects or store it in a place that defeats the purpose of having a strong credential at all. Passphrases solve this problem by leveraging the way human memory actually works. We are extraordinarily good at remembering sequences of concrete words, especially when those words form a memorable or absurd mental image that the brain can rehearse during the encoding phase. A six word passphrase drawn from a seventy seven hundred word Diceware list has approximately seventy seven bits of entropy, which exceeds the security of a random twelve character password while being dramatically easier to commit to long term memory through association and repetition.

The security of a passphrase depends on exactly two factors, and both must be chosen carefully to achieve the security level you intend. The first factor is the size of the word list from which the words are drawn. A larger word list means more possible choices per word and therefore more entropy per word. The standard Diceware list contains seven thousand seven hundred and seventy six words, which corresponds to five rolls of a six sided die and gives twelve point nine bits of entropy per word. The second factor is the number of words in the passphrase. Five words from a Diceware list gives roughly sixty five bits of entropy, which is solid for everyday accounts. Six words gives seventy seven bits, which is strong enough for master passwords protecting password vaults and full disk encryption keys. The critical requirement underlying both factors is that the words are chosen by a cryptographic random process and not selected by a human, because human word selection is heavily biased toward common predictable words and undermines the entropy calculation.

Passphrases are most valuable for credentials that you must type from memory regularly rather than retrieve from a password manager every time. The canonical example is the master password of the password manager itself, which by definition you cannot store inside the manager. Another important case is the passphrase that unlocks a full disk encryption volume at boot, which is typed before the operating system has loaded the password manager. SSH key passphrases also belong in this category, as do any account credentials you might need to access from a friend's computer or a public terminal where your manager is unavailable. For everything else, where your password manager is the day to day access path, a random character password is equally secure and uses less screen space, so the passphrase format is not always the right choice.

A practical observation about passphrase memorisation is that the absurdity of the word combination matters more than people expect. A passphrase like correct-horse-battery-staple sticks in memory precisely because the image of a horse holding a battery and a staple is bizarre and visual, and the brain encodes bizarre images far more reliably than mundane ones. When you generate a passphrase, take a few seconds to construct a brief mental scene that involves all the words in the order they appear. The more peculiar the scene, the faster it locks in and the longer it survives in long term memory even after extended periods of not typing the passphrase. This memorisation technique, sometimes called the method of loci or simply the story method, transforms a passphrase from a sequence of arbitrary words into a single coherent unit that recalls itself effortlessly.

How to use this tool

💡

Choose 5–6 random words with a hyphen separator for a passphrase that balances memorability and strength.

How It Works

Step-by-step guide to generate a passphrase online:

  1. 1

    Choose your word count

    Select five or six words for a master password or a credential you will type regularly, because that range gives the right balance between entropy and memorisation effort. Use four words for lower stakes applications where memorability dominates, and seven or eight words only for extreme cases like long term archive encryption keys where you can afford a heavier credential.

  2. 2

    Select a separator

    Hyphens are the most practical separator for typing and work reliably across every system that accepts the passphrase. Spaces work well for spoken passphrases but can be trimmed by some password fields. Using no separator at all makes the passphrase slightly harder to type and to read back, so reserve that option for cases where you have tested compatibility with the destination system.

  3. 3

    Generate and memorise

    Click generate to produce a candidate passphrase. Spend three to five focused minutes constructing a vivid mental image that links the words together in their generated order. Recite the passphrase aloud or in your head several times before closing the browser tab so that the initial encoding is solid before you rely on it as a credential.

  4. 4

    Write it down temporarily if needed

    If you cannot memorise the passphrase immediately and reliably, write it on a single piece of paper and store the paper in a physically secure location such as a locked drawer at home. Destroy the paper as soon as you have the passphrase memorised. Never store the paper near the device the passphrase protects, and never photograph it onto an unencrypted phone.

Real-world examples

Common situations where this approach makes a real difference:

Password manager master password

A user setting up Bitwarden or 1Password for the first time generates a six word passphrase as the master password that will unlock the rest of their digital life. They spend five focused minutes memorising it by constructing a vivid mental scene linking all six words in order, then type it several times to confirm recall, and never forget it despite typing it daily for years afterward.

Disk encryption key

A laptop user enabling full disk encryption with LUKS, FileVault, or BitLocker chooses a five word passphrase for the volume key because it must be typed at boot before the password manager is available. The passphrase is strong enough to resist offline attack on the encrypted volume and memorable enough to type at startup without resorting to a sticky note on the laptop lid.

Shared account with a team

A small team that occasionally needs to type a shared account password in front of colleagues or read it aloud over a phone line chooses a passphrase rather than a random string. The natural words are easier to communicate verbally without errors than a sequence of mixed case symbols, and the passphrase format works in environments where dictation accuracy matters more than maximum cryptographic density.

When to use this guide

Use this for master passwords (password manager, disk encryption), passwords that must be typed from memory frequently, or for any account where memorability matters as much as security.

Pro tips

Get better results with these expert suggestions:

1

Create a vivid mental story connecting the words

The fastest reliable way to memorise a passphrase is to construct a brief absurd mental scene involving all the words in their generated order. The more unusual and visual the image, the more memorable it becomes because the brain encodes peculiar scenes far more deeply than ordinary ones. This memory technique, known as the method of loci or the story method, can make a six word passphrase stick after only three or four deliberate recitations, and the resulting recall typically remains stable for years.

2

Test recall before committing the passphrase

After generating and studying your passphrase, close the browser tab and attempt to recite all the words in the correct sequence from memory. If you can do this three times in a row with a short delay between each attempt, the passphrase is sufficiently memorised for daily use as a long term credential. Do not commit a passphrase as your master password until you have passed this informal test, because losing the master password of a password manager is a uniquely painful failure mode.

3

Write it on paper during the memorisation period only

It is acceptable, and sometimes prudent, to write a passphrase on a single piece of paper during the initial memorisation period of the first few hours or days, provided the paper is stored in a physically secure location such as a locked drawer or a home safe. Once you can recall the passphrase reliably without prompts, destroy the paper. The brief window of risk from the written copy is smaller and more controllable than the risk of permanently forgetting the only credential that unlocks your password manager.

4

Use a hyphen separator for the best typing experience

Hyphens are present on every standard keyboard layout including the on screen keyboards of phones and tablets, can be typed in a single keystroke without a shift modifier, and visually separate words clearly in password fields that show the typed characters as you go. Space separators work well for passphrases you speak aloud but can cause unexpected behaviour in some password fields that trim leading or trailing whitespace, so hyphens are the safer default unless you have a specific reason to use a different separator.

5

Use 5–6 words for the right balance

A 4-word passphrase has roughly the same security as a 10-character random password. A 6-word passphrase exceeds a 20-character random password in entropy. Five to six words is the sweet spot between memorability and strength.

6

Do not modify the words

Adding "1" to the end of a passphrase or capitalising one word reduces entropy significantly because these modifications are predictable. Use the words as generated, with a separator.

7

Passphrases are ideal for things you type regularly

For your password manager master password, which you type multiple times daily, a passphrase is far more practical than a 20-character random string. You can memorise it in minutes.

FAQ

Frequently asked questions

It depends entirely on the number of words and the size of the source word list. A four word passphrase drawn from a standard Diceware list has approximately the same entropy as a ten character fully random password. A six word passphrase exceeds a twenty character random password in entropy and is strong enough for master passwords protecting password managers. The key advantage of a passphrase over a random string of equivalent entropy is that it is dramatically more memorable, which matters when you must type the credential from memory rather than copy it from a manager.
Diceware is a passphrase generation method invented by Arnold Reinhold in the nineteen nineties that uses physical dice rolls to select words from a large standardised list of common short English words. Five rolls of a six sided die generate a number between eleven thousand one hundred and one and sixty six thousand six hundred sixty six, which maps to a specific word in the seven thousand seven hundred and seventy six word Diceware list. FixTools generates passphrases using the same word list and the same selection principle but draws the index using a cryptographic random function rather than physical dice.
No, this is a common mistake that significantly reduces the entropy of the passphrase without adding meaningful protection. Adding predictable modifications such as capitalising the first word or appending the digit one at the end is a well known pattern that password cracking tools explicitly account for in their rule sets. The passphrase is strongest when used exactly as generated, with only the separator between the words. If you need more entropy, add another word rather than modifying the existing ones.
A dictionary attack against a passphrase tries every combination of words from the source word list, which is the right model for evaluating passphrase security since the attacker knows you used Diceware. With a seven thousand seven hundred and seventy six word list and six words, the total combinations are roughly two times ten to the twenty third power. Even at one billion guesses per second, exhausting this search space would take longer than the current age of the universe, which makes a six word Diceware passphrase practically immune to brute force at any foreseeable computational scale.
A password is typically a single contiguous string of mixed characters with no internal structure that a human can naturally parse. A passphrase is a sequence of multiple complete words separated by a delimiter, with structure that the human brain can use as memory hooks. Both formats can achieve equivalent entropy levels through their respective construction rules, but passphrases are organised in a way that makes them dramatically more memorable, which makes them the right choice for credentials you must type from memory regularly.
Use at least six words for a password manager master password. This gives approximately seventy seven bits of entropy, which is strong enough for a credential that unlocks all your other credentials and that you must protect against offline attack should the vault file ever leak. If your password manager does not support a second factor of authentication on top of the master password, consider using seven words instead to add an extra margin against future increases in cracking hardware capability.
A five word passphrase with hyphen separators is typically thirty to forty characters long in total. Some older websites impose maximum password lengths of twenty or even sixteen characters, which would reject a Diceware passphrase outright. For those sites, fall back on a standard random character password generated by the regular FixTools generator with whatever length the site permits. Passphrases work best for systems you control directly such as password managers, encrypted drives, and SSH keys.
No. Even though passphrases are memorable and the temptation to reuse them is real, each passphrase should be used for exactly one credential. If you must memorise multiple passphrases because you have several credentials that cannot live in your password manager, vary the word count and word selection independently for each one rather than recycling the same passphrase across them. Use passphrases only for the small number of accounts you genuinely must access without your manager, and use manager stored random passwords for everything else.
Forgetting a master passphrase that protects your password manager or disk encryption volume is one of the most painful possible outcomes in personal information security, because there is no reset mechanism by design. Mitigate this risk during the memorisation period by writing the passphrase on a single piece of paper stored in a physically secure location, and by configuring any available account recovery mechanisms such as emergency contacts in 1Password or recovery codes in Bitwarden. Test your recall regularly during the first few weeks until the passphrase is stable in long term memory.
No, Diceware style word lists exist in many languages including French, German, Spanish, Italian, Japanese, and others, and a passphrase drawn from any sufficiently large list of words in a language you read fluently provides the same security properties. The important constraint is that the words come from a single defined list and are selected by a cryptographic random process. The FixTools generator currently uses an English word list, but the same principles apply to passphrases in other languages generated by appropriate tools.

Ready to get started?

Open the full Password Generator — free, no account needed, works on any device.

Open Password Generator →

Free · No account needed · Works on any device