Random Password Phrase Generator
Generate memorable XKCD-/Diceware-style passphrases from a curated 1646-word English list with crypto.getRandomValues, rejection-sampled to avoid modulo bias. Configure word count, separator, case style, optional digits and symbols; live entropy meter and 12-phrase history. Free and private.
What is the Random Password Phrase Generator?
A passphrase generator builds passwords from a string of random words instead of random characters. They're easier to type, easier to remember and — when long enough — stronger than dense gibberish like "Tr0ub4dor&3". Toollyz Random Password Phrase Generator implements the classic XKCD 936 / Diceware pattern using a curated 1646-word English list (4–8 letter words, no apostrophes or hyphens) with ~10.7 bits of entropy per word. Word selection uses `crypto.getRandomValues` — the same CSPRNG browsers use for HTTPS key generation — with rejection sampling so every word is exactly equally likely (no modulo bias). Configure the word count (2–12), separator (hyphen / period / underscore / space / none), case style (lowercase / Title Case / UPPER CASE / camelCase), optional 0–4 appended digits and an optional appended symbol from a copy-safe set (`!@#$%&*?+-=`). The hero shows the current phrase with a colour-coded entropy band (Weak < 40 bits / Fair < 60 / Strong < 80 / Excellent ≥ 80). Re-roll generates a fresh phrase; the last 12 are kept in localStorage. Toollyz has no backend.
How to use it
- Pick how many words you want (5+ recommended for ~53 bits).
- Choose separator, case style and optional digits / symbol.
- Watch the live entropy band — Strong (≥ 60 bits) is good for most accounts, Excellent (≥ 80 bits) for long-term secrets.
- Click Re-roll for a fresh phrase or Copy to grab it.
Benefits
- 1646-word curated English list (~10.7 bits per word).
- crypto.getRandomValues with rejection sampling — no modulo bias, no Math.random fallback.
- Live entropy meter with four colour-coded bands (Weak / Fair / Strong / Excellent).
- Word count slider 2–12, with 5 as a balanced default (≈ 53 bits).
- Five separators (hyphen / period / underscore / space / none) and four case styles (lowercase / Title / UPPER / camelCase).
- Optional 0–4 appended digits and a copy-paste-safe symbol for sites that demand them.
- 12-phrase history kept in localStorage with one-tap copy.
- 100% private — phrases generated locally, nothing uploaded.
Frequently asked questions
How is this different from the regular Password Generator?
The regular Password Generator builds dense character strings (like "K7q!fX2#"). This Passphrase Generator builds word strings (like "Horse-Battery-Saddle-Pebble-Window"). Both can be strong; passphrases are easier to type and remember, dense passwords are shorter on screen.
What does "entropy" mean here?
Entropy measures unpredictability in bits. Each bit doubles the number of guesses an attacker would need to brute-force the secret. 60 bits is solid for most accounts; 80+ is excellent. Each word from a 1646-word list adds ~10.7 bits — five words is ~53 bits, six words is ~64 bits.
How random is it really?
Maximally — it uses `crypto.getRandomValues`, the browser's cryptographically secure PRNG. The same primitive HTTPS uses. Word selection then uses rejection sampling so no word is more likely than another (a naive `% wordlist.length` would bias the first few words).
Why these specific words?
All 1646 words are 4–8 lowercase letters with no apostrophes, hyphens or unusual characters — easy to type, easy to remember, easy to dictate. Common English roots that work across English-speaking regions.
Should I use digits or symbols?
Only if the site requires them. A long enough word phrase is already strong; adding digits and a symbol just makes the phrase harder to type without much real security gain. The toggles exist because many sites still enforce arbitrary character rules.
Is "correct horse battery staple" actually safe?
Per the XKCD 936 math, four common words give ~44 bits of entropy — fine for casual sites but a bit weak by 2026 standards. Five words at this list's entropy is ~53 bits, six is ~64. Pick at least five for anything important.
Can I customise the wordlist?
Not in this release — the curated list is fixed for reproducibility and security. Building your own wordlist is risky: short or unfamiliar words can drop entropy. A future version may support imports.
Is the history shared?
No. The last 12 phrases save to localStorage on this device only. Toollyz has no backend; nothing is uploaded.
Should I memorise these or use a password manager?
Use a password manager for every account. Use a single memorised passphrase for the manager itself (and any small set of high-stakes accounts that aren't in the manager). Toollyz Passphrase Generator is great for that small set.
Is this Passphrase Generator free?
Completely free with no signup and no limits. Generate as many phrases as you like — privately in your browser.
Related tools
See all generators toolsDisposable Password Generator
Generate fresh, copy once, auto-clear from the screen.
UUID Generator
Generate v1, v4, v6 and v7 UUIDs in bulk — validate any UUID instantly.
Password Generator
Create strong, secure passwords in 6 modes — with live entropy and crack-time analysis.
Hash Generator
MD5 + SHA-1/256/384/512 of text or file, with HMAC support.