Secure Passphrase Generator

Generate memorable passphrases you'll actually use.

A quotephrase starts with a line you already know, from a movie, show, song, or book, and becomes a strong password once you personalize it. A famous quote on its own is in attackers' wordlists; your twist is what makes it secure.

Aligned with NIST SP 800-63B passphrase guidance. Use a quotephrase only as a master password for your password manager, let the manager generate unique random passwords for every other site.

How it works

  1. 1

    Pick a topic

    Choose a movie, show, song, author, or any topic you love. The more it means to you, the easier the phrase is to remember.

  2. 2

    Set your rules

    Dial in length and required characters so the result fits the site you're using.

  3. 3

    Personalize it

    Remix the line so it's no longer the verbatim quote. This step, not the quote, is what makes it strong.

  4. 4

    Lock it in

    A 60-second typing drill (copy it, recall it from cues, then from memory) before you use it anywhere real.

2035 chars
10
20–35 charsASCII only
How the method works

Pick a topic and hit "Find phrases" to get started. How does it work?

Tweak a line you almost liked: drop a word, swap one, add your own twist. You'll get an honest strength rating, then a 60-second typing drill that locks the line into memory. Everything runs locally in your browser; your phrase never leaves this page.

Why a quotephrase beats a short random string

A long passphrase beats a short random password on raw entropy, but a famous quote used verbatim sits in attackers' wordlists and falls in seconds, no matter how long it is. The remix, not the quote, is what carries the security. See how it works: the full argument, with the research behind it →

Passphrase security, in plain terms

Is a famous quote safe to use as a password?

Not on its own. Attackers' wordlists include famous quotes, song lyrics, and book lines, so a verbatim 30-character quote can cost about one guess. It becomes safe after you remix it: splice it with another line, answer it with your own retort, or add unrelated words, so the result is no longer in any wordlist.

Does my passphrase leave my browser?

The strength tester and the typing drill run entirely in your browser: the phrase you type is rated by a local estimator (zxcvbn plus a local famous-quote list) and is never transmitted. Only the topic you search goes to our server to generate quote candidates, and the only phrases we store are ones you explicitly save as favorites, protected by row-level security on your account.

Why does QuotePhrase rate my phrase lower than other password checkers?

Most checkers only count length and character variety, so a 42-character movie quote scores 'trillions of years', yet it falls in seconds to a wordlist attack. Our meter counts known quotes and published fragments as free for attackers, so the bits shown measure only what an attacker cannot look up. The lower number is the honest one.

More questions answered on the full FAQ · deep dive in how it works

Keep learning: How it works · Examples · Research