Memorable Passwords That Actually Work
x7$kQ2m!vP9 is a strong password. It’s also impossible to remember and awful to type. You’ll spend 30 seconds hunting for the right keys, make a typo, try again, make another typo, then give up and paste it from your password manager. Which is fine — until you need to type the master password for the password manager itself.
Passphrases flip the equation. copper-morning-garden-bridge-silent has five random words, and you’ll remember it after typing it three or four times. The security doesn’t come from weird symbols or mixed case. It comes from the randomness of word selection. Five words picked randomly from a 200-word list give you about 38 bits of entropy from the words alone. Add capitalization, a number, and a symbol, and you’re well into brute-force-proof territory.
The Math Behind Passphrases
Each word from a 200-word list adds roughly 7.6 bits of entropy. So:
- 4 words: ~30 bits (minimum viable)
- 5 words: ~38 bits (solid for most accounts)
- 6 words: ~46 bits (strong)
- 7 words: ~53 bits (very strong)
For comparison, a random 12-character password with all character types gives you about 79 bits. To match that with words alone, you’d need around 10 words. But here’s the thing — nobody’s brute-forcing passphrases word-by-word against your master password. Online systems lock you out after a few failed attempts. The real threat is offline cracking of leaked hashes, and 5-6 words is more than enough to make that infeasible.
Tack on a number and symbol (like Garden-Bridge-Copper-Morning-Silent-4$) and you’ve satisfied every annoying password policy ever written.
Where Passphrases Shine
Your password manager’s master password. This is the one password you actually need to remember and type by hand. A 5-word passphrase is perfect — strong enough to protect all your other passwords, memorable enough to type from muscle memory after a week.
Wi-Fi passwords for guests. “The password is copper morning garden bridge silent.” Compare that to dictating “lowercase x, seven, dollar sign, uppercase K, lowercase q, two, lowercase m, exclamation mark…” over the phone.
Work systems that block password managers. Some corporate environments won’t let you install browser extensions. A passphrase lets you type a strong password from memory without relying on a manager.
Disk encryption. Full-disk encryption passwords get typed at boot, before your password manager is even accessible. A passphrase you can reliably type from memory is essential.
Configuring the Output
Pick your word count (4-8), choose a separator (hyphens, spaces, dots, underscores), and optionally enable capitalization, a random number, or a random symbol. Each click generates something completely new thanks to crypto.getRandomValues().
The word list is deliberately limited to 200 common, easy-to-spell English words. A bigger list would give more entropy per word but would include obscure words like “bivouac” or “quahog” that you’d misspell half the time. Better to use 6 common words than 5 obscure ones.
For random character strings (better when you’re pasting from a password manager), the Password Generator handles that. The Password Strength Meter can evaluate either type.