About

A weak password cracks in seconds. A short random one cracks in hours. The difference between a breached account and a secure one often comes down to entropy - measured in bits. This tool generates passphrases using a curated 2048-word list and the Web Crypto API (crypto.getRandomValues), producing output with calculable entropy of E = n × log₂(W) bits, where n is word count and W is list size. A 4-word passphrase yields ~44 bits; a 6-word one reaches ~66 bits - sufficient to resist brute-force attacks at 10¹² guesses per second for centuries.

This tool approximates real-world security assuming the attacker knows the word list and method (Kerckhoffs's principle). Actual resistance depends on your threat model. The generator runs entirely client-side. No passphrase is transmitted or stored beyond your browser's LocalStorage. The clipboard auto-clears after 60 seconds. Pro Tip: never reuse a passphrase across services, and pair it with a hardware token or TOTP for critical accounts.

Formulas

The fundamental entropy of a passphrase drawn from a uniformly random word list is calculated as:

E = n × log₂(W)

Where E = total entropy in bits, n = number of words selected, W = size of the word list (2048 in this tool, so log₂(2048) = 11 bits/word).

When augmentations are applied (digit insertion, symbol insertion, capitalization transforms), the effective entropy increases per element:

E_total = n × log₂(W) + n_d × log₂(10) + n_s × log₂(S)

Where n_d = count of random digits appended, n_s = count of random symbols inserted, and S = size of the symbol alphabet (this tool uses 8 common symbols: !@#$%&*?).

The estimated crack time assumes an attacker performing an offline brute-force attack:

T = 2^E2 × G

Where T = expected time in seconds (average case is half the keyspace), and G = guesses per second (10¹² for a well-funded adversary with GPU clusters). Rejection sampling eliminates modulo bias: generate a random 32-bit integer, discard values ≥ W × floor(2³² ÷ W) and retry.

Reference Data

Word Count	Entropy (bits)	Possible Combinations	Time to Crack @ 10¹² guesses/s	NIST Strength Rating
3	33 bits	8.59 × 10⁹	< 1 second	Weak
4	44 bits	1.76 × 10¹³	~4.9 hours	Fair
5	55 bits	3.60 × 10¹⁶	~1.14 years	Strong
6	66 bits	7.38 × 10¹⁹	~2,340 years	Very Strong
7	77 bits	1.51 × 10²³	~4.79 × 10⁶ years	Excellent
8	88 bits	3.09 × 10²⁶	~9.81 × 10⁹ years	Excellent
9	99 bits	6.34 × 10²⁹	~2.01 × 10¹³ years	Maximum
10	110 bits	1.30 × 10³³	~4.11 × 10¹⁶ years	Maximum
Assumptions: 2048-word list, words only, no augmentation. Adding digits/symbols per word increases entropy per element.
Common Password Comparison
8-char random (a-z)	37.6 bits	2.09 × 10¹¹	~3.5 minutes	Weak
8-char mixed case+digits	47.6 bits	2.18 × 10¹⁴	~2.5 days	Fair
12-char full ASCII	78.8 bits	3.01 × 10²³	~9.54 × 10⁶ years	Excellent
4-word passphrase + digit	47.3 bits	1.76 × 10¹⁴	~2 days	Fair
6-word passphrase + symbol	71 bits	2.36 × 10²¹	~7.5 × 10⁴ years	Very Strong

Frequently Asked Questions

Entropy determines security, not complexity. A 4-word passphrase from a 2048-word list has ~44 bits of entropy. An 8-character password using lowercase only has ~37.6 bits. The passphrase is both stronger and dramatically easier to memorize. NIST SP 800-63B explicitly recommends longer passphrases over short complex passwords because users can remember them without writing them down - which itself is a security risk.

No. Security is calculated assuming the attacker knows everything about your method except the specific random choices made (Kerckhoffs's principle). The entropy formula E = n × log₂(2048) already assumes the attacker has the exact word list. The security comes from the combinatorial explosion: 2048⁶ ≈ 7.38 × 10¹⁹ possible 6-word passphrases.

When mapping a 32-bit random integer (range 0 to 2³² − 1) to a word list of size W, naive modulo (rand % W) creates bias because 2³² is not evenly divisible by W. This tool uses rejection sampling: it calculates the largest multiple of W that fits within 2³² and discards any random value at or above that threshold, retrying until a value falls within the unbiased range.

For casual web accounts: ≥44 bits (4 words). For email and financial accounts: ≥55 bits (5 words). For master passwords (password managers): ≥66 bits (6 words). For cryptographic key derivation or high-security contexts: ≥77 bits (7+ words). Adding a random digit per word adds ~3.32 bits each; a symbol from an 8-character set adds ~3 bits each.

No. Math.random() uses a PRNG (pseudorandom number generator) seeded from a predictable state. An attacker who knows the algorithm and can observe or guess the seed can reproduce the entire output sequence. The Web Crypto API (crypto.getRandomValues) draws from the operating system's CSPRNG (Cryptographically Secure PRNG), which is seeded from hardware entropy sources (thermal noise, interrupt timing, etc.) and is computationally infeasible to predict.

Clipboard contents persist until overwritten and can be read by other applications or browser extensions with clipboard access. Auto-clearing after 60 seconds limits the exposure window. This matches the behavior of password managers like KeePass and 1Password. The timeout is configurable in this tool's settings - though reducing it below 30 seconds is recommended for high-security environments.

Only if the capitalization pattern is random. If you always capitalize the first letter, the attacker knows this and gains zero additional entropy. This tool optionally applies random capitalization transforms (all-lower, all-upper, title-case, or random per-character), which adds up to log₂(4) ≈ 2 bits per word when the transform is randomly selected from 4 options.