About TofuPass
Everything you might want to know.
A privacy-focused password generator that creates strong, memorable passwords entirely in your browser. No server ever sees what you generate.
My handle is "TofuWater," so "TofuPass" was the obvious choice. The fact that it sounds like "Tough Pass" was a happy accident I now claim was intentional.
Me - Matthew, a.k.a. TofuWater. Service Desk Technician by day, cybersecurity tinkerer by night. I built TofuPass because I wanted a password generator I could actually trust and hand to end users without hesitation.
Completely free. I don't make money from it. No ads, no premium tier, no data to sell. It's a passion project I run at a happy loss.
Yes - both halves of it. The site's HTML, CSS, and JavaScript are on GitHub, and the backend API server that powers /api/* is public too. Both are under the GNU GPL v3, so you can audit exactly what runs in your browser and what happens on the server, fork either one, and modify it - as long as your fork stays open-source under the same license. The frontend's curated word lists are kept private to keep password outputs less predictable, but the generation logic - including the use of crypto.getRandomValues() - is fully visible.
The TofuPass name and the Miso mascot (tofu, alert, and excited artwork) are all rights reserved and not covered by the GPL. You're welcome to fork the code - just bring your own branding and mascot when you publish.
TofuPass combines curated word lists with numbers and symbols using crypto.getRandomValues() for true randomness. Soft = word + word + number. Firm = symbol + Word + Word + number. Extra Firm = four-word passphrase.
Soft and Firm offer over a billion combinations (~30 bits of entropy). Extra Firm draws from 4,000+ words for 280+ trillion combinations (~48 bits), which covers most real-world needs.
!DancingKoala73 is far easier to recall than j2#Xp9$k but provides comparable security. When people can actually remember a password, they're less likely to reuse it.
Yes. Everything runs locally in your browser. Nothing is sent to any server. It even works offline once the page has loaded.
No. No analytics, no cookies, no tracking pixels. There's no account system and no data to collect in the first place.
Absolutely. A password manager is the single best security upgrade most people can make. Bitwarden (free, open-source) and 1Password are both great. TofuPass generates passwords to put in your manager.
The Web Crypto API's crypto.getRandomValues() - a CSPRNG built into every modern browser, the same standard used in banking and encryption.
Yes. Free, no auth required. GET tofupass.com/api/password for a single password, GET tofupass.com/api/passphrase?count=4 for a passphrase. See the API docs for details.
Only when you think one has been compromised. NIST recommends against forced rotation - it encourages weak, predictable patterns. Use strong, unique passwords and change them when you need to, not on a schedule.