StrongPhrase.net - Random passphrases, passcodes, usernames, and identities

Another small update today:

Before, the identity generator was using Faker.js to make totally random addresses that had no correlation to realty. For example:

15999 S East Street, Oberbrunnertown, GA 72507

• No such city (though it is a hilarious name!)
• Zip code doesn’t line up with the state
• Doesn’t show up on Google maps

Now, I’m pulling from https://openaddresses.io/ to provide real addresses that will correctly geocode on Google Maps. For example:

8216 West Citrus Way, Glendale, AZ 85303

• Real town
• Zip code does line up with the city and state
• Shows up on Google Maps as an actual building

You can try it out here

Hi @AtomicBug!

I can’t believe I’m only discovering your site now. It’s extremely promising! I love it!

WHY THIS IS AWESOME!

A true passphrase generator should create an actual sentence with nouns, verbs, and adjectives, and numbers, that describe an action.

For years, I have been annoyed with the fact that the passphrase generators in password managers, and passphrase generator websites in general, don’t actually generate phrases but just random words.

Yes, random words on their own are easier to remember than passwords:

pBa(EA~'4zhe_[35K{xD8W

vs

snorkel ointment magnesium thicken 42

However, when those random words make an actual sentence, that’s when you create memory magic!

Sassy visitor smites 350 blazing eagles!

That is why the only passphrase generator I have always used is Get A Passphrase, because their passphrases are actual phrases, not just random words. I use 54 bits, to include numbers.

Every passphrase generator should follow this model.

I’m so glad someone else finally did, because one of my biggest concerns was what would I do if Get A Passphrase disappeared. I don’t even know who is behind that website.

TO THE NAYSAYERS:

Some people will argue, that with a passphrase manager, you only need to remember one passphrase and that your other passwords don’t need to be memorable. Maybe. However, I know some people who feel the need to go through the trouble of remembering additional passwords, like the ones for their bank accounts.

I don’t do this, but I prefer passphrases that create sentences because they’re more memorable. Also, they’re super silly and funny, and they insight curiosity in people who may not be as security savvy. I share passphrases all the time when I need to protect files or information I send to people.

All my passwords are memorable passphrases I got from Get A Passphrase. I also use it for random usernames, but I will now opt for Strong Phrase for that. I love that I can add it to my cybersecurity arsenal.

As someone who uses passphrases for all my online accounts, I have identified

3 FEATURES THAT EVERY WEBSITE AND PASSPHRASE GENERATOR SHOULD ADOPT:

1) Allow longer passwords: at least 50 characters.

Most of my passwords are 40 to 50 characters long because I use long passphrases. However, there are still many websites that don’t allow passwords longer than 16 to 20 characters. Many of these websites are financial institutions, which is insane. I’ve raised this issue with my banks and various websites, but they haven’t done anything about it.

2) Passphrase generators should create actual sentences.

I’ve already elaborated on why above.

3) Passphrase generators should support multiple languages.

They should create memorable sentences and support other languages than English.

Proton is a Swiss company. The official languages of Switzerland are German, French, and Italian.

IMO, it is absolutely unacceptable that their passphrase generator doesn’t support their own languages. Also, one should not have to use Proton Pass in German in order to use German for their passphrase generator. Changing the language of the generator should be an option.

I know a lot of people who prefer to use apps in English even though it’s not their first language, but they don’t use English words in their passwords. They prefer their native language.

CONCLUSION:

There are very few passphrase generator websites. Most of them don’t create memorable sentences. And from my experience, they are all in English. None support other languages. This needs to change.

Thank you @AtomicBug for fighting the good fight and making a positive difference!

Cool, thanks for the username

As an aside, is it intentional that the tab title spells it “passsphrases” with three ss in a row?

Are you sure this service is working properly? The inbox seems to be broken.

Good catch. Thank you!

Fixed the link.

It should be: https://reusable.email/

Glad it resonates.

The underlying passphrsae generation code is actually directly from GetAPassphrase developed by Ryan Foster. I found his project, forked it, and have extended it quite a bit since then obviously.

I was talking about the possible issue with the service itself.

Wow! That’s amazing! I can’t believe you found the person behind Get A Passphrase.
Years ago, I noticed that the copyright year on the website hadn’t been updated from 2017-18. And the fact that What is a Passphrase, Get A Passphrase; sister website is also not working, makes me fear that both sites have been abandoned. But now that you’ve identified the owner, maybe I can reach out to him and ask.

I’m glad you were able to fork Get A Passphrase. I hope more people do it. You’re doing a great job with Strong Phrase!

FEATURE REQUESTS:

I just thought of new features you might want to consider:

1. Word Separators

The option to add word separators would be cool.

Although spaces can be used in passwords, using them can sometimes create problems. Although I have never intentionally used spaces in a password/phrase, I have done so mistakenly in the past.

I added a space to a password by mistake, usually at the beginning or the end. This would cause sign-ins to fail, but luckily, I always figured out the issue. With a passphrase, spaces are in the middle, so the risk of mistakes is higher. Especially if between two words you type two spaces instead of one.

The most commonly used separators for passphrases are the dash and the dot.

Depraved-delegate-propels-640-worthless-cokes!

Depraved.delegate.propels.640.worthless.cokes!

Visually, they make your passphrase crystal clear compared to other special characters.

Depraved%delegate%propels%640%worthless%cokes!

2. Character Counter

This may not be a must for some people in the privacy community, especially if you use a password manager that has a character counter (1Psasword). But it’s still useful for those who don’t have a character counter in their password manager (Proton Pass).

3. Color Code for Different Types of Characters

1P CHARACTER COUNTER + COLOR CODE1729×403 49.5 KB

Again, not a must if your password manager already has this (most don’t), but it’s useful as a visual indicator.

1Password has some mistakes in its character color code in that it doesn’t differentiate capital letters (A, B, C, ) from small letters (a, b, c,). Also, some special characters are not color coded when they should be (e.g. €, ¥ ).

All this is to say, if you copy 1Password, don’t copy their mistakes.

New feature: Multiple passphrase formats and wordlists

→ https://strongphrase.net/#/more

image2064×1554 274 KB

I have been wanting a place to generate other passphrase formats. As mentioned above, the strongphrase.net formats are pretty long for a given entropy amount.

So I built a generator that has an entropy slider. Set your entropy level, and pick from the formats and wordlists!

Passphrase formats:

• StrongPhrase.net
• EFF long diceware wordlist
• EFF short diceware wordlist
• Orchard Street long wordlist
• Orchard Street short wordlist

It also allows you to pass the bit amount as a URL parameter, such as:

https://strongphrase.net/#/more?bits=70

So, for instance, you can suggest that someone pick from a passphrase on the list that works best for them, but ensure they are starting with an entropy amount that you suggest.

As always, open to feedback!

I was feeling pretty unsatisfied with the rigor of the research I had around how quickly forensic tools (graykey, cellebite) can crack passcodes. So I did some more digging. Here’s what I found. (Now updated on the StrongPhrase.net Passcode page):

The iOS documentation claims that each passcode attempt should take at least 80 milliseconds, which equals 12.5 guesses/second.

The Android documentaiton says it targets 25 milliseconds per attempt, which equals 40 guesses/second.

These rates assume that cracking tools can bypass the tools (Secure Enclave, etc.) that are used to protect the passcode.

In practice, the tools law enforcement use to crack a passcode are currently generally much slower than the rates in the iOS/Android documentation. The forensic tools that cops use (like GrayKey and Cellebrite) are generally slower. A 2025 LinkedIn post from a cop incidates a crack rate of 2.2 attempts/minute (595,000 attampts over 192 days) or 0.036 guesses/second.

We use 12.5 guesses/second as the default crack rate because it is a conservative middle-ground.

You can adjust the crack rate using the dropdown menu at the top of this page.

The observed cellebrite crack rate (from 2025 on an iPhone SE w/ A13 chip) is particularly interesting to me. Because it’s the most up-to-date information I’ve been able to find on actual crack rates. This of course assumes that the forensic device doesn’t have an exploit to just bypass the passcode all together.

(If anyone has info on crack rates that is more up to date, please let me know!)

I used this info to update the “avg time to crack” table on the page:

image1776×1490 354 KB

I also added a “how easy is your passcode to crack” feature. It uses my list of six-digit passcodes from the RockYou list combined with a list of all possible six-digit date formats (MMDDYY, etc). I wanted a place to refer people to test their passcode.

I don’t think it’s a good idea for anyone to ever trust a website like this, so I encourage folks to put in a code similar to theirs instead of their real code.

image1790×706 75.7 KB

I was literally checking the website again yesterday after a while - and pleasantly surprised with some new updates and improvements! Good job!