What it does
This tool builds a strong secret in your browser — either a random character password (a string like Kp7mRt4vXq2nYw6s) or a random passphrase made of real words (like correct-horse-battery-staple). Switch between the two with the toggle, adjust the options, and a fresh result appears each time. Nothing is typed in, stored, or sent anywhere.
Length beats complexity
The strength of a random secret is measured in entropy — roughly, how many guesses an attacker would need, counted in bits. Each extra character or word adds a fixed number of bits, so length is the biggest lever you control — far more than swapping in a symbol or a capital letter.
This is now mainstream security advice, not a trick. The UK's National Cyber Security Centre recommends building a password from three random words, and the US standard NIST SP 800-63B tells services to allow long passphrases, to stop forcing awkward mixes of character types, and to stop demanding routine password changes — because those rules push people toward predictable patterns without adding real strength.
How it works
Both modes draw from a pool at random. A character password draws characters from a pool of letters — plus digits and symbols if you switch them on — while a passphrase draws whole words from a fixed list. Either way the randomness comes from crypto.getRandomValues, the browser's cryptographically secure generator, not Math.random, which is fast but predictable and unfit for secrets. To keep every choice equally likely, the generator uses rejection sampling: it discards the rare random values that would otherwise skew the result (the "modulo bias") and draws again.
Character passwords
The pool always contains lower- and upper-case letters, and grows to add the digits 2–9 if you switch on numbers and the symbols !@#$%^&*-_=+ if you switch on symbols. The look-alike characters I, O, l, 1 and 0 are left out, so you can read a password off the screen and type it without mistaking a one for an ell.
With letters plus numbers and symbols the pool here is 68 characters, so a 20-character password carries about 20 × log₂(68) ≈ 122 bits — already far beyond brute-force guessing.
Passphrases: strong and memorable
A passphrase trades a big character pool for a big word pool. Each word is picked at random from the EFF Long Wordlist of 7,772 common English words, so every word contributes about log₂(7,772) ≈ 12.9 bits. A 4-word passphrase therefore carries roughly 52 bits, and each word you add is worth almost 13 more — yet it stays easy to read, say and type. Capitalising the words, changing the separator, or adding a number or symbol helps a passphrase satisfy a site's rules but adds little real strength; only more words do that.
That wordlist was chosen deliberately: its authors removed profane, offensive and easily-confused words and kept everything short and familiar, so the passphrases come out clean and typeable.
Common uses
- Password-manager entries: generate a long random password and let the manager remember it — you never have to read it.
- Secrets you must remember: your device login, your password manager's own master password, or disk encryption — a passphrase is strong yet memorable.
- Reading a secret aloud: a passphrase, or the look-alike-free password, survives being dictated over the phone or typed on a TV remote.
- New accounts: a unique secret per site, so one breach can't unlock the rest.
Frequently asked
Passphrase or password — which should I use?
Use a password manager holding long random passwords for the accounts it stores, and a passphrase for the few secrets you have to type from memory. Both are strong; the passphrase is simply easier for a human to carry.
Are four random words really enough?
Four words from this list is about 52 bits, which is strong for any account that limits guessing — as reputable online services do. For a master password or disk encryption, where an attacker can guess offline at speed, add words: five or six is comfortably strong. Use the Rate for: Online / Offline switch to see how the same passphrase is judged against each kind of attack.
Should I still add symbols and numbers?
Only where a site insists. Forced symbols add little entropy and a lot of friction, while length adds the most strength — which is exactly why NIST now advises services to drop mandatory composition rules.
Do you store or send what I generate?
No. Everything happens in your browser in JavaScript; nothing is transmitted to ToolHare or saved after you leave the page. For total certainty you can disconnect from the internet, generate, and the tool still works.
Wordlist: the EFF Long Wordlist (hyphenated entries removed), © Electronic Frontier Foundation, licensed CC BY 3.0 US. See how we build and verify our tools.