# Generating strong passwords & passphrases This page covers how to generate passwords and word passphrases with Relicario, how to check the strength of a candidate passphrase, and how to save your preferred generator settings so you never have to repeat yourself. --- ## Two modes: random characters vs. word passphrases `relicario generate` has two modes: | Mode | What you get | When to use it | |---|---|---| | Random characters (default) | `x7#Kp!mQr9Ew2@LnVdZ` | Site passwords, API keys, anything with a character limit | | BIP39 word passphrase (`--bip39`) | `olive bridge furnace tangle whisper` | Your vault passphrase, disk encryption, anywhere you have to type it by hand | --- ## Quick examples Generate a random 20-character password (default settings): ``` relicario generate ``` Generate a longer, 32-character password: ``` relicario generate -l 32 ``` Generate a 6-word BIP39 passphrase: ``` relicario generate --bip39 -w 6 ``` Generate a BIP39 passphrase with dashes between words instead of spaces: ``` relicario generate --bip39 --separator - ``` --- ## All flags ``` relicario generate [-l/--length N] [--bip39] [-w/--words N] [--symbols ] [--separator ] ``` | Flag | What it does | |---|---| | `-l`, `--length N` | Total length of the random-character password | | `--bip39` | Switch to BIP39 word-passphrase mode | | `-w`, `--words N` | Number of BIP39 words to include | | `--symbols ` | Symbol set: `safe`, `extended`, or a custom literal (e.g. `!@#`) | | `--separator ` | Word separator for BIP39 mode (e.g. a dash or an underscore) | ### About `--symbols` - **`safe`** — a conservative set that works on most sites without paste-rejection headaches. - **`extended`** — a broader set of symbols for maximum entropy when sites permit it. - **custom literal** — pass exactly the characters you want, e.g. `--symbols '!@#'`. --- ## Defaults Outside a vault, the built-in defaults are: - Random mode: length **20**, symbol set **safe** - BIP39 mode: **5** words, separator **space** Inside an initialized vault, any flag you leave off falls back to your **saved generator defaults** (see below). This means `relicario generate` inside your vault already "knows" your preferences — you only have to set them once. --- ## Saving your generator defaults Run this once inside your vault directory. Any flag you pass gets saved; flags you omit stay at their current value. Switch to BIP39 mode and use 6 words by default: ``` relicario settings generator-defaults --bip39 --words 6 ``` Switch to random-character mode with length 24 and extended symbols: ``` relicario settings generator-defaults --random --length 24 --symbols extended ``` Set a custom word separator for BIP39 mode: ``` relicario settings generator-defaults --bip39 --separator - ``` Full flag reference for `settings generator-defaults`: | Flag | What it does | |---|---| | `--random` | Switch the saved default mode to random-character | | `--bip39` | Switch the saved default mode to BIP39 passphrase | | `--length N` | Random mode: default password length | | `--words N` | BIP39 mode: default number of words | | `--symbols ` | Random mode: default symbol charset (`safe`, `extended`, or a custom literal) | | `--separator ` | BIP39 mode: default word separator | To see all current settings (including your saved generator defaults), run: ``` relicario settings show ``` --- ## Checking a passphrase's strength Before committing to a passphrase, you can score it: ``` relicario rate "olive bridge furnace tangle whisper sunset" ``` Or pipe it in from stdin (keeps it out of your shell history — recommended): ``` relicario rate - ``` Relicario prints a **score from 0 to 4** and an estimated number of guesses. Higher is better; aim for a 4 for anything important. > **Informational only.** The `rate` command does not block you from using a weak passphrase. It is purely a tool to help you make an informed choice. --- ## A note on your vault passphrase Your **vault passphrase** is Factor 1 of your two-factor encryption — the thing you type to unlock everything. A few things worth knowing: - Make it **strong and memorable**. You cannot reset it if you forget it (there is no recovery path for a lost passphrase — see [Recovery](recovery.md) for the full picture). - A BIP39 word passphrase is a great choice: easy to write down and type, hard to guess. Generate a few candidates with `relicario generate --bip39` and use `relicario rate` to compare them. - Your passphrase is always entered locally, at a hidden prompt. It never leaves your device. For a plain-language explanation of why both your passphrase AND your reference image are required to unlock your vault, see [Concepts](concepts.md). --- **Next:** [Two-factor codes (TOTP)](totp.md)