Frequently Asked Questions

Everything you need to know about TofuPass and password security

About TofuPass

What is TofuPass?
TofuPass is a privacy-focused password generator that helps create strong, memorable passwords and passphrases. It was created with the belief that security tools should be both powerful and user-friendly. All password generation happens entirely in your browser - we never see or store your passwords.
Why is it called TofuPass?
Just as tofu absorbs the flavors of whatever it's cooked with while maintaining its core structure, TofuPass adapts to your security needs while maintaining its core strength. Plus, we think it's a fun, memorable name that reflects our philosophy of making security more approachable!
Is TofuPass free to use?
Yes! TofuPass is completely free and open-source. We believe everyone should have access to strong password generation tools without compromising their privacy or wallet.

Password Generation

How does the password generator work?
Our standard password generator creates passwords using a combination of:
  • Two random words (one capitalized)
  • A random special character (!@#$%^&*)
  • A random two-digit number
The elements are combined in random order to create passwords like "Dancing@tiger47" or "happy#Dragon92". This method creates passwords that are both strong and memorable.
How secure are the generated passwords?
Let's break down the math:
First word combinations: 450 words × 2 (capitalization) = 900 Second word pool: 400 words Special characters: 8 options Two-digit numbers: 90 possibilities (10-99) Possible arrangements: 4 formats Total combinations = 900 × 400 × 8 × 90 × 4 = 1,036,800,000
This gives approximately 30 bits of entropy, making it resistant to most brute-force attacks while remaining memorable.
How does the passphrase generator work?
The passphrase generator uses a carefully curated list of 2,048 common English words. For a four-word passphrase:
Entropy = log2(2048^4) = 44 bits Possible combinations = 2048^4 = 17,592,186,044,416
This provides exceptionally strong security while being easier to remember than traditional passwords.

Security & Privacy

Is it safe to use an online password generator?
TofuPass generates all passwords locally in your browser using JavaScript's cryptographically secure random number generator (crypto.getRandomValues()). No passwords are ever transmitted over the internet or stored anywhere. You can even use TofuPass offline once the page is loaded!
What makes a password strong?
A strong password should have:
  • Sufficient length (12+ characters)
  • A mix of characters (letters, numbers, symbols)
  • Randomness (unpredictable patterns)
  • Uniqueness (not used elsewhere)
TofuPass-generated passwords meet all these criteria while remaining memorable.
Why does TofuPass combine words instead of using random characters?
This approach, inspired by XKCD's famous "correct horse battery staple" comic, creates passwords that are:
  • Easier to remember than random characters
  • Less likely to be written down (improving security)
  • Still highly resistant to brute-force attacks
  • Easier to type, especially on mobile devices

Technical Details

What random number generator does TofuPass use?
TofuPass uses the Web Crypto API's crypto.getRandomValues() method, which provides cryptographically secure random numbers. This is the same level of randomness used in encryption and is far superior to JavaScript's standard Math.random().
How does the "Big Pass" feature work?
Big Pass generates a full screen of random characters, useful for:
  • Visual entropy generation
  • Creating multiple passwords at once
  • Demonstrating randomness patterns
The display automatically adjusts to your screen size while maintaining consistent character spacing.
Can I use TofuPass offline?
Yes! Once you've loaded the TofuPass website, it works completely offline. All the word lists and generation logic are included in the page, and no server communication is required for password generation.

Best Practices

How often should I change my passwords?
Modern security guidance suggests changing passwords only when:
  • There's evidence of compromise
  • You've shared the password
  • You've used it on an unsecured network
Frequent mandatory password changes often lead to weaker passwords and should be avoided.
Should I use a password manager?
Yes! We recommend using TofuPass in combination with a password manager. Use TofuPass to generate strong passwords, and use a password manager to store them securely. This gives you the best of both worlds: strong, unique passwords for every site without having to remember them all.

Future Updates

What's next for TofuPass?
We're constantly working to improve TofuPass. Upcoming features may include:
  • Custom word lists
  • Password strength visualization
  • Additional language support
  • Progressive Web App (PWA) support