Secure Password and Passphrase Generator with Entropy Meter

🔐 Secure Password and Passphrase Generator

Cryptographically secure. 100% client-side. No data leaves your browser.

Generated Password
Click Generate
Entropy — bits
Character Sets
Options
Generated Passphrase
Click Generate
Entropy — bits
Separator
Options
Wordlist: 2048 words · 11.0 bits/word · EFF-style diceware
✅ Copied to clipboard!
Built by VahaC — 100% client-side, no data sent anywhere.

This secure password and passphrase generator runs entirely in your browser, uses the Web Cryptography API (crypto.getRandomValues()), and never sends a single character to any server. Whether you need a random string for a database root user or a memorable diceware phrase for your VPN login, this secure password and passphrase generator has you covered — with live entropy scoring in bits so you always know how strong your secret actually is.

What This Secure Password and Passphrase Generator Does

This tool has two modes, selectable via tabs:

🔑 Password tab — generates a random character string with full control over:

  • Length from 4 to 128 characters (slider + direct number input)
  • Character sets: uppercase A–Z, lowercase a–z, digits 0–9, symbols !@#$%^&*()…
  • Option to exclude visually ambiguous characters like l, I, 1, O, 0 — useful when passwords appear in printed documents or low-contrast UIs
  • Batch generation (×5) — shows five alternatives at once, click any to copy

📖 Passphrase tab — generates a multi-word diceware-style phrase based on the EFF diceware method:

  • Word count from 2 to 12 words
  • Separator: space, dash -, dot ., underscore _, or none
  • Optional first-letter capitalization per word
  • Optional appended random number for extra entropy
  • Wordlist: 2048 curated English words, giving exactly 11.0 bits per word

Both tabs display a live entropy meter in bits, with a color-coded strength label: Weak 🔴 / Fair 🟡 / Strong 🟢 / Very Strong 💎.

How to Use It

  1. Choose a mode — Password for high-entropy random strings, Passphrase for memorable but secure phrases.
  2. Adjust the settings — set length or word count, enable the character sets you need.
  3. Click ⚡ Generate — a new credential appears instantly. The entropy score updates live.
  4. Click 📋 Copy — the value goes to your clipboard. No selection required.
  5. Store it — paste directly into a password manager. Never reuse or write it down on paper.

Understanding Entropy in Bits

Entropy tells you how unpredictable a secret is. This secure password and passphrase generator calculates it with the standard formula:

  • Password: bits = length × log₂(charset_size) — a 20-character password using all four character sets yields ~130 bits.
  • Passphrase: bits = word_count × log₂(2048) — a 5-word phrase gives 55 bits; 8 words gives 88 bits.

NIST SP 800-63B recommends a minimum of 8 characters but strongly encourages longer passwords and passphrases. In practice, aim for 80+ bits for most accounts and 100+ bits for sensitive services like root SSH keys, encryption keys, or a password manager master phrase.

If you’re using this secure password and passphrase generator to create credentials for a self-hosted password manager, check out the self-hosted Bitwarden guide or the Vaultwarden Docker setup — use a 7–8 word passphrase for the master password.

Practical Use Cases 🛠️

🏠 Home server accounts — generate strong passwords for Proxmox root, SSH keys, and admin dashboards. Pair with Docker hardened images for a locked-down container setup.

🔒 Password manager master password — use the passphrase mode with 7+ words and capitalization. This gives you a credential that’s both auditable and resistant to brute force.

🌐 VPN pre-shared keys — need a high-entropy secret for WireGuard? A 24-character output from this secure password and passphrase generator with all charsets fits perfectly.

📦 Service secrets and API keys — use 32+ characters, all charsets. The entropy meter confirms when you’ve hit the safe zone.

🖨️ Credentials in printed docs — enable “Exclude ambiguous chars” so lI1O0 never cause misreading during manual entry.

Privacy, Ads, and Data Policy

This tool collects nothing and costs nothing.

  • 100% free — no registration, no account, no paywall
  • No data storage — inputs and generated secrets never leave your browser
  • No ads in results — no watermarks, no tracking pixels, no analytics inside the tool
  • Client-side only — the wordlist and all logic are bundled in the JavaScript file; no external API calls are made at any point

The use of crypto.getRandomValues() rather than Math.random() is intentional. Math.random() is not cryptographically secure and must never be used to generate passwords or secrets.

Open Source and Self-Hosting

The source code for this secure password and passphrase generator is published on GitHub. It’s a single folder — index.html, style.css, script.js — that you can drop onto any static host or serve locally. No build step, no dependencies, no node_modules.

If you find it useful, explore the rest of the VahaC tools collection — all tools follow the same principles: zero dependencies where possible, no backend, no telemetry.zero dependencies where possible, no backend, no telemetry.