QuickUse Generator

Passphrase Generator

Memorable passphrases with auditable strength — Diceware mode and a curated PT-BR wordlist included.

Loading wordlist…

EFF's 2016 long list. 7776 words, 5d6, ~12.9 bits/word. · 7,776 · 12.92 bits/word

Editorial guide

About this generator

An honest technical read on what is happening behind the Generate button.

XKCD #936 is the most-cited and most-misunderstood cartoon in password security. Correct horse battery staple isn’t strong because words are easier to type than symbols. It’s strong because a 4-word draw from a 7776-word list creates a search space of 7776⁴ ≈ 3.66 × 10¹⁵ combinations — about 52 bits. The math is the same math you’d apply to characters; the words just survive human memory better. Passphrases serve a narrow but important slot: the secrets you have to type from memory and can’t paste from a manager — master passwords, recovery codes, the credential you dictate to a teammate over a phone line. Every result on this page surfaces the bit count, the wordlist size, and the four crack-time scenarios. Nothing leaves your browser.

The XKCD #936 moment

Most articles that cite the cartoon get the lesson backwards. They claim it shows that “words are stronger than random characters,” which is false. Words drawn from a fixed wordlist are weaker per token than characters drawn from the printable ASCII set — 12.9 bits per word against EFF Long, vs ~6.57 bits per character against 95-char ASCII. The reason the cartoon’s passphrase wins is length: four words at ~13 bits each is 52 bits, while the old-school “Tr0ub4dor&3” pattern is closer to 28 bits once an attacker’s rule engine applies the common substitutions.

The cartoon’s real point is about search space. An attacker who knows you used the EFF wordlist tries 7776n combinations, not 95m. Telling the attacker your construction doesn’t help them — it’s already the assumption (Kerckhoffs’s principle). The defender’s job is to pick enough words that the search space is intractable. Five EFF Long words clears 64 bits. Six clears 77.

How passphrase entropy works

One line of math: bits = wordCount × log₂(wordlistSize). The wordlist size is the alphabet size for this kind of secret; the word count is the length. Both inputs are visible in the widget above so the number is auditable.

Concrete checkpoints against EFF Long (7776 words, 12.92 bits per word):

  • 3 words — 38.8 bits. Fair. Vulnerable to dedicated offline attack.
  • 4 words — 51.7 bits. Fair. About an hour against MD5 dumped on an RTX 4090; about 2,500 years against bcrypt.
  • 5 words — 64.6 bits. Strong. About 440 years against MD5; 9 billion years against bcrypt. The XKCD anchor.
  • 6 words — 77.5 bits. Very strong. Millions of years against MD5; the heat death of stars before bcrypt finishes. This generator’s default.
  • 7+ words — 90.4+ bits. Extreme. Nothing currently buildable cracks this, regardless of the server’s hash choice.

EFF Short v1 (1296 words, 10.34 bits per word) needs more words to match: 5 short-list words ≈ 51.7 bits — the same entropy as 4 long-list words, traded for shorter, easier words. That trade is honest math, not magic.

Choosing a wordlist

This generator ships four wordlists. Their differences are real and small:

  • EFF Long (7776) — common English nouns and verbs. Best per-word entropy. A few obscure entries (zinger, ziplock) but mostly familiar. Default for English users.
  • EFF Short v1 (1296) — shorter, more familiar words. Lower per-word entropy. Use it when you need to dictate the passphrase over a noisy channel or type it on a small keyboard.
  • Diceware Original (Arnold Reinhold, 7776) — the 1995 list. Includes single-character entries, abbreviations (a&p), and numbers. Same entropy as EFF Long but harder to memorise.
  • EFF-style PT-BR (our list, 7776, CC0) — Brazilian Portuguese, curated to be ASCII-only (no accents, no ç) so the passphrase types on any keyboard. Default for Portuguese users.

If you don’t know which to pick, take the default for your locale. The per-word entropy difference between EFF Long and EFF Short v1 is 2.6 bits — that’s less than adding one word to the count. Word count carries more weight than wordlist size for most realistic use cases.

Diceware — the paranoid mode

The widget’s Diceware toggle exposes the underlying 5d6-per-word rolls. Each word in the result has a 5-digit roll attached. This is useful in two situations:

  • Verification. If you don’t trust browser RNG, look up each roll in the published EFF or Reinhold wordlist on a different device and confirm the word matches. This proves the generator isn’t lying about how it picked.
  • Physical generation. Roll five real dice (or one die five times), read the result left-to-right as a 5-digit number from 11111 to 66666, look up that entry in a printed wordlist, write the word down. Repeat for each position. The result is a passphrase that never touched the network, never touched your operating system’s random pool, and is genuinely your own. Slower — about 30 seconds per word, including the lookup — but cryptographically equivalent to the widget’s virtual rolls. For users who suspect their device may be compromised (a real concern for high-value targets), it’s the only fully auditable generation path.

EFF Short v1 uses 4d6 instead of 5d6 because 1296 = 6⁴. The dice mapping is canonical: roll 11111 always maps to the first entry, roll 66666 to the last. The order in our codified array preserves the original mapping byte-for-byte — you can verify it against the source files (SHA-256 checksums are documented in each wordlist’s header).

When to use passphrases vs passwords

Both are random draws; the difference is what you’re optimising for. Quick rules:

  • Memorise it (master password, recovery code, anything you’ll type from memory): passphrase. Six EFF Long words is 77 bits and recallable; a 13- character random ASCII password is the same entropy but unmemorable.
  • Store it in a manager (most site logins): password. Higher entropy per character means a 20-character random password takes less space and types faster when autofill fails.
  • Dictate it to someone (handing off a server credential, reading a Wi-Fi key aloud): passphrase. Words survive phone-line noise better than symbols.
  • Field has a 16-character limit (banks, some legacy enterprise apps): password. A 6-word passphrase needs more characters than the limit allows. Take the strongest random password that fits.

The two generators are not in competition. They’re tools for different inputs to the same job.

Frequently asked questions

Should I separate words with spaces?

Spaces work where the receiving system accepts them, but many login forms strip whitespace silently. A non-space separator (-, ., _) survives more environments. The widget’s default is `-`.

Is "correct horse battery staple" still safe to use?

No. It’s the most famous passphrase on the internet. Any wordlist of leaked credentials includes it; treat it as if it were `password123`. Generate your own.

How do I memorise a 6-word passphrase?

Build a quick mental image that links the words in order. The brain is good at stories and bad at strings; six unrelated words become memorable once you give them a narrative. After about three intentional recalls (over 24 hours) the passphrase usually sticks.

Why does EFF Long have 7776 entries?

6⁵ = 7776 — every roll of 5 six-sided dice maps to exactly one entry. That’s the Diceware standard since 1995. EFF Short v1 has 1296 entries because 6⁴ = 1296 and uses 4 dice per word instead.

Can I reuse a passphrase across services?

Same rule as passwords — no. One leaked database becomes a credential-stuffing campaign against every account that shares the secret. Use a password manager, even for passphrases.

Does adding a digit at the end help?

A digit adds log₂(10) ≈ 3.32 bits to the count. A free 3.3 bits is fine, but it’s also what every wordlist of leaked passphrases expects you to do — putting `1`, `!`, or your birth year at the end is the most common human modification. If you want the marginal entropy, take the digit, but don’t skip from 5 to 4 words because you added a number. The number doesn’t replace a word.

Why does the widget show the dice rolls even when I didn’t roll physically?

Transparency. The bit count and the wordlist mapping are claims the page makes about its own behaviour. Surfacing the rolls turns those claims into something you can verify against the published wordlist. We’d rather show you the work than ask you to trust an opaque button.