Numbers
XKCD-Style Password Generator
The XKCD-style password generator creates strong, memorable passwords by chaining random common words — the method made famous by XKCD comic strip 936's "correct horse battery staple" example. Four random words from a 2,000-word list produces over 160 billion combinations, making brute-force attacks impractical without the visual noise of "Tr0ub4dor&3". You control the variables that actually matter. Set the word count (four words for everyday accounts, five or six for master passwords and encryption keys), pick a separator that fits the target system — hyphen, dot, underscore, space, or none — and optionally append a random number to satisfy the digit requirements most sites enforce. Generate up to several at once and keep whichever phrase sticks.
How to use
- Choose your options above
- Click Generate
- Copy your result
Detailed instructions
- Set the word count slider to 4 for standard security or 5-6 for high-value accounts like master passwords.
- Choose a separator that matches where you'll use the password — hyphens for most accounts, no separator for length-limited sites.
- Toggle 'Add random number' to Yes if the target site requires a digit in the password.
- Set the count to 5 or more so you have several options and can pick the phrase that sticks naturally in memory.
- Click Generate, read through the results aloud, and copy the one that feels most memorable to you.
Use Cases
- •Creating a master password for a Bitwarden or 1Password vault you must memorize
- •Setting a shared Wi-Fi password guests can type correctly on the first attempt
- •Generating a LUKS or VeraCrypt disk-encryption passphrase you need at every boot
- •Seeding a staging environment with realistic credential fixtures for Cypress login tests
- •Teaching a security workshop why passphrase length beats symbol-substitution complexity
Tips
- →Read generated phrases out loud — if you can say it as a quick sentence or mental image, you'll remember it far longer.
- →For disk or vault encryption, generate 10+ passwords and sleep on it; the one you still recall the next morning is the one to use.
- →Avoid setting word count below 4 — three words may fall short of entropy requirements on security-audited systems.
- →If a site rejects hyphens, switch the separator to underscore or none rather than shortening the word count to compensate.
- →When sharing a Wi-Fi password verbally, the hyphen separator makes it easy to spell out word-by-word without confusion.
- →Combine a 5-word passphrase with a hardware security key on your most critical accounts — the passphrase protects the key, not the account alone.
FAQ
are random word passwords actually as secure as random character passwords
They can be, but it depends on the word list and word count. This tool draws from a 100-word list, so four words give about 27 bits of entropy — fine for low-stakes use but not strong on their own; six to eight words (plus the optional number) push it much higher. The classic xkcd example assumes a ~2,000-word list (~44 bits for four words), so for important accounts add more words. Selection now uses a cryptographically secure random source, so the entropy is genuine.
does this generator send my passwords to a server
No. Everything runs in your browser — no inputs, no generated words, and no results leave your device. You can go offline and it still works. That said, avoid generating passwords on shared or public computers where screen-capture tools might be running.
which separator should I pick for xkcd passwords
Hyphens are the safest default: readable and accepted by almost every site and system. Use underscores when a system rejects hyphens as special characters. Skip the separator entirely only when a site enforces a strict character limit, since it saves characters at the cost of readability.
What is the famous xkcd password comic about?
xkcd comic #936, "Password Strength", argues that a passphrase of four common words (the famous "correct horse battery staple") is both easier to remember and harder to crack than a short string of random characters with substitutions like "Tr0ub4dor&3". This generator builds passwords in that style; just use enough words, since a longer passphrase is what makes the approach genuinely strong.
How many words should I use for a strong passphrase?
More words means exponentially more entropy, so for anything important favour six or more words rather than the minimum, and add the optional number for a little extra. With this tool's word list, four words are only moderate; six to eight make a passphrase that is both memorable and hard to brute-force. The generator lets you set the word count, so dial it up for high-value accounts.
You might also like
Popular tools from other categories that share themes with this one.
Try these next
More free tools from other corners of the catalog, picked by shared themes.