Random Password Generator (based on xkcd 936)

Random password generator

Length of password in words:

Entropy: __ bits

This page will randomly generate a password consisting of common English words. It was inspired by xkcd 936. The randomness source is window.crypto.getRandomValues.

How do I know it's safe to use this page to generate passwords?

If you can read JavaScript, it is recommended that you read the source code (it's only 33 lines of JavaScript). This page is a self-contained HTML file with no external dependencies and is purposely minimalistic, so that it can easily be saved locally and audited.

I generated 15 passwords (of 4 words each), and I saw the same word "foo" generated twice. Is this normal?

Yes. Based on the birthday paradox, if you randomly pick 60 words from a set of 2500 words (with replacement), the probability of seeing a word repeated is approximately:

1 - exp(-60*(60-1)/(2*2500)) = 51%

How strong should my password be?

It depends on your threat model. Examples:

Suppose you use the password to encrypt a file, and you use a memory-hard hash function such as scrypt to derive the encryption key from your password. Suppose your adversary has a cluster of 75 computing units where key derivation takes 10 ms (so each computing unit can try 100 passwords per second), and your adversary is willing to dedicate these computing resources for 1 year to crack your password. You want the probability of your adversary cracking your password to be 1 in 100,000. Then your password should have at least:
log₂(75*100*60*60*24*365 * 100000) = 54.4 bits of entropy
Suppose you use the password to log in to a website, and your adversary can try 1 password per minute (due to rate limiting by the website server) for 1 year. You want the probability of your adversary cracking your password to be 1 in 10,000. Then your password should have at least:
log₂(60*24*365 * 10000) = 32.3 bits of entropy
Suppose you use the password to log in to a website, and the website hashes the password with PBKDF2. Suppose your threat model includes the website getting compromised and your adversary obtaining the password hashes. Suppose your adversary can try 100,000 passwords per second on a GPU, and is willing to spend 1 day of GPU time to crack your password. You want the probability of your adversary cracking your password to be 1 in 1000. Then your password should have at least:
log₂(100000*60*60*24 * 1000) = 43.0 bits of entropy
Suppose your adversary will know the SHA256 hash of your password and can employ computational resources equal to the entire Bitcoin mining network (2.5 × 10¹⁸ hashes/second as of Jan 1, 2017) for a week. You want the probability of your adversary cracking your password to be 1 in 100,000. Then your password should have at least:
log₂(2.5e18 * 60*60*24 * 7 * 100000) = 96.9 bits of entropy
Custom:

Attempts that the adversary can make:
Desired probability of getting cracked: 1 in

log₂(75 * 100 * 60 * 60 * 24 * 365 * 100000)
=

Word list:

Attempts that the adversary can make:
Desired probability of getting cracked:	1 in
	log₂(75 * 100 * 60 * 60 * 24 * 365 * 100000) =