Frequently Asked Questions
Everything you need to know about TofuPass and password security
About TofuPass
What is TofuPass?
TofuPass is a privacy-focused password generator that helps create strong, memorable passwords and passphrases. I created it with the belief that security tools should be both powerful and user-friendly. All password generation on the website happens entirely in your browser. Your passwords are never seen or stored by me.
Why is it called TofuPass?
I'd love to tell you it came to me in a vision, but honestly? My online handle is 'TofuWater,' so 'TofuPass' was just the path of least resistance and it sounds way better than 'SecureGeneratorPro v2.5.' The fact that it sounds exactly like 'Tough Pass' was a glorious, happy accident. It's the kind of 4D-chess wordplay that I now claim was my master plan all along.
Who is behind TofuPass?
TofuPass was designed and built by me, Matthew "TofuWater"! By day, I'm a Service Desk Technician, and by night, I'm a cybersecurity enthusiast who loves creating simple and secure tools. I created TofuPass because I needed a password generator that was fully transparent and trustworthy. I found that many alternatives were missing key features, handled generation server-side, or were closed-source, so you could never be sure what was happening with your data. I built TofuPass to be different, keeping the needs of IT professionals like Service Desk Techs at the forefront.
Is TofuPass free to use?
Yes! TofuPass is completely free. I believe everyone should have access to strong password generation tools without compromising their privacy or wallet.
How do you make money from TofuPass?
I don't. TofuPass is a passion project that I run at a complete loss, and I'm happy to do so. I will never charge for it, run ads, or sell user data (not that any data is collected to begin with). TofuPass exists simply because I wanted to build something I could be proud of that helps people stay secure online.
Password Generation
How does the password generator work?
The standard password generator creates passwords using a combination of:
- Two random words (one capitalized)
- A random special character (!@#$%^&*)
- A random two-digit number
How secure are the generated passwords?
Let's break down the math:
First word combinations: 450 words × 2 (capitalization) = 900
Second word pool: 400 words
Special characters: 8 options
Two-digit numbers: 90 possibilities (10-99)
Possible arrangements: 4 formats
Total combinations = 900 × 400 × 8 × 90 × 4 = 1,036,800,000
This gives approximately 30 bits of entropy, making it resistant to most brute-force attacks while remaining memorable.
How does the passphrase generator work?
The passphrase generator uses a carefully curated list of over 4,000 common English words. For a standard four-word passphrase:
Entropy = log2(4000^4) ≈ 48 bits
Possible combinations = 4000^4 = 256,000,000,000,000
This provides exceptionally strong security while being easier to remember than traditional passwords. You can also generate longer passphrases for even greater security.
API Usage
Is there an API I can use?
Yes! TofuPass offers a simple, free API for developers to integrate password and passphrase generation into their own scripts and applications. The API is designed to be straightforward, requiring no authentication.
How do I use the Password API?
To get a standard password, make a GET request to the following endpoint:
This will return a plain text password, like
Super$koala58, generated with the same logic as the homepage generator.
How do I use the Passphrase API?
To get a passphrase, make a GET request to the passphrase endpoint. You can specify the number of words using the
count query parameter.
- Default (4 words):
- Custom word count (e.g., 8 words):
count must be a number between 4 and 256. If you provide a number outside this range (e.g., count=2), the API will return a 400 Bad Request error with a helpful message.
Is the API generation secure?
Yes. While the main website generators run entirely in your browser (client-side), the API endpoints run on the server. The generation logic is identical, using a cryptographically secure random number generator. The resulting password or passphrase is sent directly to you over an encrypted HTTPS connection and is not logged or stored.
Breach Check
How does the "Have I Been Pwned?" check work?
We use the k-Anonymity model provided by "Have I Been Pwned" to check for breaches without ever seeing your full password. Here’s how it works:
- You Enter Your Password Your password stays in your browser and is never sent to our servers.
-
Local Hashing
Your browser converts your password into a SHA-1 hash—a long, unique string of characters. For example,
passwordbecomes5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8. -
Partial Hash Sent
Only the first 5 characters of the hash (e.g.,
5BAA6) are sent to the "Have I Been Pwned" API. - Receiving a List The API returns a list of all breached password hash suffixes that start with those same 5 characters.
- Final Check in Your Browser Your browser then checks the full list locally to see if the rest of your hash (the suffix) is present. Your full password and full hash are never exposed.
Security & Privacy
Is it safe to use an online password generator?
It depends on the generator! TofuPass is designed with privacy as the top priority.
- The Website: The generators on the TofuPass website run 100% locally in your browser using JavaScript's cryptographically secure random number generator (
crypto.getRandomValues()). No passwords are ever transmitted over the internet or stored anywhere. - The API: The API endpoints generate passwords on the server but immediately send them to you over a secure HTTPS connection. The generated passwords are not logged or stored.
What makes a password strong?
A strong password should have:
- Sufficient length (12+ characters)
- A mix of characters (letters, numbers, symbols)
- Randomness (unpredictable patterns)
- Uniqueness (not used elsewhere)
Why does TofuPass combine words instead of using random characters?
This approach, inspired by XKCD's famous "correct horse battery staple" comic, creates passwords that are:
- Easier to remember than random characters
- Less likely to be written down (improving security)
- Still highly resistant to brute-force attacks
- Easier to type, especially on mobile devices
Technical Details
What random number generator does TofuPass use?
Both the client-side website and the server-side API use cryptographically secure pseudo-random number generators (CSPRNG). The website uses the Web Crypto API's
crypto.getRandomValues(), and the server uses Node.js's built-in crypto module. These are industry-standard tools for generating high-quality randomness suitable for security purposes.
How does the "Big Pass" feature work?
Big Pass generates a full screen of random characters, useful for:
- Visual entropy generation
- Creating multiple passwords at once
- Demonstrating randomness patterns
Can I use TofuPass offline?
Yes! Once you've loaded the TofuPass website, the main generators work completely offline. All the word lists and generation logic are included in the page, and no server communication is required. The API endpoints, however, require an internet connection as they are on the server.
Best Practices
How often should I change my passwords?
Modern security guidance suggests changing passwords only when:
- There's evidence of compromise
- You've shared the password
- You've used it on an unsecured network
Should I use a password manager?
Yes! I recommend using TofuPass in combination with a password manager. Use TofuPass to generate strong passwords, and use a password manager to store them securely. This gives you the best of both worlds: strong, unique passwords for every site without having to remember them all.
Future Updates
What's next for TofuPass?
I'm constantly working to improve TofuPass. Upcoming features may include:
- Custom word lists