This page will randomly generate a password consisting of common English words.
It was inspired by
xkcd 936.
The randomness source is
window.crypto.getRandomValues.
How do I know it's safe to use this page to generate passwords?
If you can read JavaScript, it is recommended that you read the source code
(it's only 33 lines of JavaScript).
This page is a selfcontained HTML file with no external dependencies and is
purposely minimalistic, so that it can easily be saved locally and audited.
I generated 15 passwords (of 4 words each), and I saw the same word "foo" generated twice. Is this normal?
Yes. Based on the
birthday paradox,
if you randomly pick 60 words from a set of 2500 words (with replacement),
the probability of seeing a word repeated is approximately:
1  exp(60*(601)/(2*2500)) = 51%
How strong should my password be?
It depends on your threat model. Examples:

Suppose you use the password to encrypt a file, and you use
a memoryhard hash function such as
scrypt to derive
the encryption key from your password. Suppose your adversary has a cluster of 75
computing units where key derivation takes 10 ms (so each computing unit
can try 100 passwords per second), and your adversary is willing to
dedicate these computing resources for 1 year to crack your password. You
want the probability of your adversary cracking your password to be 1 in
100,000. Then your password should have at least:
log_{2}(75*100*60*60*24*365 * 100000) = 54.4 bits of entropy

Suppose you use the password to log in to a website, and your
adversary can try 1 password per minute (due to rate limiting by
the website server) for 1 year.
You want the probability of your adversary cracking your password to be 1
in 10,000.
Then your password should have at least:
log_{2}(60*24*365 * 10000) = 32.3 bits of entropy

Suppose you use the password to log in to a website, and the website hashes
the password with PBKDF2. Suppose your threat model includes the website
getting compromised and your adversary obtaining the password hashes.
Suppose your adversary can try 100,000 passwords per second on a GPU, and
is willing to spend 1 day of GPU time to crack your password.
You want the probability of your adversary cracking your password to be 1
in 1000.
Then your password should have at least:
log_{2}(100000*60*60*24 * 1000) = 43.0 bits of entropy

Suppose your adversary will know the SHA256 hash of your password and can
employ computational resources equal to the entire Bitcoin mining network
(2.5 × 10^{18} hashes/second as of Jan 1, 2017) for a week. You want the
probability of your adversary cracking your password to be 1 in 100,000.
Then your password should have at least:
log_{2}(2.5e18 * 60*60*24 * 7 * 100000) = 96.9 bits of entropy

Custom: