How to Generate Unbeatable Passwords (and Remember Them)
Humans are terrible at randomness. Ask someone to pick a "random" number between 1 and 10 and a huge share will say 7. Ask them to invent a password and you get a name, a birth year, and a ! bolted on the end to satisfy the complexity rule. Attackers know this, and their cracking tools are built around exactly these habits.
The good news: you don't need to be clever to be uncrackable. You need to understand one concept โ entropy โ and then stop trying to be clever at all. Randomness is the whole game.
What entropy actually measures
Entropy is a measure of unpredictability, expressed in bits. Each bit doubles the number of guesses an attacker has to try. A password with 40 bits of entropy takes 2โดโฐ (about a trillion) attempts to brute-force in the worst case; 60 bits takes 2โถโฐ (about a quintillion).
The critical detail most people miss: entropy is a property of how the password was generated, not how it looks. Tr0ub4dor&3 looks random and messy, but it was built from a dictionary word with predictable character substitutions (oโ0, aโ4). Cracking software applies those substitution rules automatically, so its real strength is far lower than its 11 characters suggest โ roughly 28 bits.
Compare that to four words chosen at random from a list โ correct horse battery staple. It's longer, easier to picture, and lands around 44 bits of entropy because nothing about the choice is predictable. That gap is the entire lesson.
Length beats complexity
For a truly random password drawn from an alphabet of N characters, entropy is length ร logโ(N). Run the numbers on the full 95-character printable ASCII set (logโ(95) โ 6.6 bits per character):
- 8 characters โ 52 bits โ crackable by a determined attacker with GPUs against a fast hash.
- 12 characters โ 79 bits โ comfortably strong for almost everything.
- 16 characters โ 105 bits โ overkill in the best way.
Notice that adding characters buys you far more than adding "complexity rules" to a short one. A 16-character password made only of lowercase letters (logโ(26) โ 4.7 bits each) still clears 75 bits. Length is doing the heavy lifting. This is why modern guidance from bodies like NIST has moved away from forced symbol/number rules and toward encouraging long passphrases.
The caveat: all of this assumes the characters are random. aaaaaaaaaaaaaaaa is 16 characters and roughly zero bits of real entropy. The formula only holds when a proper random source picks the characters โ which is exactly why you should never generate passwords in your head.
The Diceware / passphrase method
The most human-friendly way to hit high entropy is a passphrase: several words chosen at random and joined together. This is the Diceware method, originally done by rolling physical dice against a numbered word list.
Each word from a ~7,776-word list contributes about 12.9 bits. From a smaller ~2,000-word list, about 11 bits. So:
- 4 words โ 44โ52 bits โ fine for low-stakes logins.
- 5 words โ 55โ65 bits โ a solid default for important accounts.
- 6 words โ 66โ77 bits โ strong enough to protect a password manager's master key.
A generated phrase like bucket-light-railway-jump is high entropy and memorable, because your brain can build an absurd little scene โ a bucket riding a light railway, jumping the tracks. That mental image is why passphrases stick where Tr0ub4dor&3 never will.
Generating one safely
You can roll real dice, or let a properly built tool do it. SnapSend's password generator has a passphrase mode that:
- Draws words from a curated dictionary.
- Uses the browser's crypto-secure random source (
crypto.getRandomValues, a CSPRNG) โ notMath.random(), which is predictable and unsuitable for secrets. - Runs entirely client-side, so the generated password never touches a server.
That last point matters. A password generator that phones home is a password generator you have to trust with your secrets. Everything about how SnapSend handles data client-side is documented on the security page.
Common mistakes that quietly kill entropy
- Reusing a "strong" password everywhere. A 100-bit password is worthless if one breached site leaks it and you used it on twelve others. Credential-stuffing attacks exist precisely because reuse is universal.
- Human-chosen "random" characters. Keyboard patterns (
qwerty,1qaz2wsx), leetspeak swaps, and appending2024!are all in the standard cracking rulesets. - Personal data as a base. Pet names, kids' birthdays, and sports teams are the first thing a targeted attacker tries โ much of it is scrapeable from social media.
- Trusting length alone.
Password1234567890is long and worthless. Length only counts when the content is unpredictable. - Short PINs on high-value accounts. A 4-digit PIN is ~13 bits. Fine when hardware rate-limits guesses; catastrophic anywhere it doesn't.
Don't memorize โ manage
You cannot memorize a unique 16-character random password for 200 accounts, and you shouldn't try. The realistic system is:
- Memorize exactly one strong passphrase โ five or six random words โ as your master password.
- Let a password manager (Bitwarden, 1Password, KeePassXC) generate and store a unique random password for every other account. We make the full case for this in why you should use a password manager.
- Turn on two-factor authentication on the manager and on anything that supports it, so a leaked password alone can't unlock the account. See why 2FA matters.
This flips the problem: instead of 200 weak passwords you can remember, you have 200 uncrackable ones you never need to.
Sharing a password without wrecking it
A perfectly generated password loses all its strength the moment you paste it into a chat message, an email, or a shared doc that lives forever. Email in particular is a bad channel โ we cover the reasons in why email is the worst place for passwords.
When you genuinely have to hand a credential to someone else, use a one-time, self-destructing link instead of a persistent copy. SnapSend's send a password securely flow encrypts the secret in your browser and destroys it after a single view, so it never sits in an inbox waiting to be found.
Quick checklist
- [ ] Master password: 5โ6 random words, memorized, used nowhere else.
- [ ] Everything else: unique, 16+ random characters, stored in a password manager.
- [ ] Generated by a CSPRNG-backed tool โ never invented by hand.
- [ ] 2FA enabled on the manager and every account that offers it.
- [ ] Passwords shared via one-time encrypted links, never pasted into chat or email.
Generate one now
If you take one action from this, make it this: stop inventing passwords in your head. Open the SnapSend password generator, switch to passphrase mode, and create something with real entropy โ it runs entirely in your browser, no account required.