Security & privacy model
An honest, conservative explanation of how passphrase.guru protects the secrets you generate — what it does, how it works, and the limits you should know about.
Everything is generated in your browser
All passphrases, passwords and tokens are created locally, on your device, by JavaScript running in your browser. There is no server-side generation step. The page is effectively a static tool: once it has loaded, it does its work without talking to a backend.
Your secrets are never sent or stored
The values you generate are not transmitted over the network, not written to a log, not saved to an account, and not placed in a cookie. There are no user accounts at all. The only analytics is a privacy-friendly, cookieless tool that counts anonymous page views — it never receives the secrets you generate.
What randomness source is used
Randomness comes from the Web Crypto API (crypto.getRandomValues), the cryptographically secure random number generator built into modern browsers. When the generator maps random bytes onto a wordlist or character set, it uses rejection sampling to avoid modulo bias, so every word or character is equally likely. It never uses Math.random for secrets.
How entropy is estimated
Because the tool chooses the words and characters itself, it knows the exact size of the pool each one was drawn from and computes entropy directly: bits = length × log2(pool size). It does not use a heuristic strength meter, which would underrate truly random secrets. The crack-time figures are illustrative, based on assumed guess rates, and the quantum estimate reflects only Grover’s quadratic speedup.
What this tool can and cannot protect against
It can give you a high-entropy secret that resists guessing and offline cracking. It cannot protect you from a compromised device, a keylogger, malware, shoulder-surfing, phishing, or a service that stores your password poorly. Strong generation is one layer; safe storage and good habits are the others.
Treat the output as sensitive the moment it appears on screen. Copy it into your password manager, then clear your clipboard if you are on a shared machine.
Practical advice we stand behind
Use a reputable password manager so each account has a unique secret and you only memorize one strong passphrase. Never reuse a passphrase or password across services. Enable two-factor authentication where offered. Prefer length over complexity. And keep your devices and browser up to date — the strongest secret cannot help a compromised machine.
Offline use and JavaScript
The generators require JavaScript, because the cryptographic work happens in the browser; with JavaScript disabled, the tool cannot produce secrets. Once the page has loaded, it works offline — you can disconnect from the network and keep generating, which is a reasonable way to create a high-value secret with extra confidence that nothing is leaving your machine.
Frequently asked questions
Do my generated secrets ever leave my browser?
No. They are generated locally and are never transmitted, logged or stored. There are no accounts and no cookies.
What random number generator does the site use?
The Web Crypto API’s cryptographically secure generator (crypto.getRandomValues), with rejection sampling to avoid bias. Math.random is never used for secrets.
Can I trust the entropy numbers?
Yes for the entropy itself — it is computed exactly from the pool size and length, not estimated by a strength meter. The crack-time figures are illustrative and depend on assumed attacker speed.
Does the tool work without an internet connection?
Yes, once the page has loaded. You can disconnect and keep generating, since all the work happens in your browser.
Is this a substitute for a password manager?
No. It generates strong secrets; a password manager stores them safely and fills them in. Use both together.