Skip to main content
Back to all posts

How to Generate Unbeatable Passwords (and Remember Them)

โ€ขSnapSend Team

Humans are terrible at randomness. Ask someone to pick a "random" number between 1 and 10 and a huge share will say 7. Ask them to invent a password and you get a name, a birth year, and a ! bolted on the end to satisfy the complexity rule. Attackers know this, and their cracking tools are built around exactly these habits.

The good news: you don't need to be clever to be uncrackable. You need to understand one concept โ€” entropy โ€” and then stop trying to be clever at all. Randomness is the whole game.

What entropy actually measures

Entropy is a measure of unpredictability, expressed in bits. Each bit doubles the number of guesses an attacker has to try. A password with 40 bits of entropy takes 2โดโฐ (about a trillion) attempts to brute-force in the worst case; 60 bits takes 2โถโฐ (about a quintillion).

The critical detail most people miss: entropy is a property of how the password was generated, not how it looks. Tr0ub4dor&3 looks random and messy, but it was built from a dictionary word with predictable character substitutions (oโ†’0, aโ†’4). Cracking software applies those substitution rules automatically, so its real strength is far lower than its 11 characters suggest โ€” roughly 28 bits.

Compare that to four words chosen at random from a list โ€” correct horse battery staple. It's longer, easier to picture, and lands around 44 bits of entropy because nothing about the choice is predictable. That gap is the entire lesson.

Length beats complexity

For a truly random password drawn from an alphabet of N characters, entropy is length ร— logโ‚‚(N). Run the numbers on the full 95-character printable ASCII set (logโ‚‚(95) โ‰ˆ 6.6 bits per character):

  • 8 characters โ‰ˆ 52 bits โ€” crackable by a determined attacker with GPUs against a fast hash.
  • 12 characters โ‰ˆ 79 bits โ€” comfortably strong for almost everything.
  • 16 characters โ‰ˆ 105 bits โ€” overkill in the best way.

Notice that adding characters buys you far more than adding "complexity rules" to a short one. A 16-character password made only of lowercase letters (logโ‚‚(26) โ‰ˆ 4.7 bits each) still clears 75 bits. Length is doing the heavy lifting. This is why modern guidance from bodies like NIST has moved away from forced symbol/number rules and toward encouraging long passphrases.

The caveat: all of this assumes the characters are random. aaaaaaaaaaaaaaaa is 16 characters and roughly zero bits of real entropy. The formula only holds when a proper random source picks the characters โ€” which is exactly why you should never generate passwords in your head.

The Diceware / passphrase method

The most human-friendly way to hit high entropy is a passphrase: several words chosen at random and joined together. This is the Diceware method, originally done by rolling physical dice against a numbered word list.

Each word from a ~7,776-word list contributes about 12.9 bits. From a smaller ~2,000-word list, about 11 bits. So:

  • 4 words โ‰ˆ 44โ€“52 bits โ€” fine for low-stakes logins.
  • 5 words โ‰ˆ 55โ€“65 bits โ€” a solid default for important accounts.
  • 6 words โ‰ˆ 66โ€“77 bits โ€” strong enough to protect a password manager's master key.

A generated phrase like bucket-light-railway-jump is high entropy and memorable, because your brain can build an absurd little scene โ€” a bucket riding a light railway, jumping the tracks. That mental image is why passphrases stick where Tr0ub4dor&3 never will.

Generating one safely

You can roll real dice, or let a properly built tool do it. SnapSend's password generator has a passphrase mode that:

  1. Draws words from a curated dictionary.
  2. Uses the browser's crypto-secure random source (crypto.getRandomValues, a CSPRNG) โ€” not Math.random(), which is predictable and unsuitable for secrets.
  3. Runs entirely client-side, so the generated password never touches a server.

That last point matters. A password generator that phones home is a password generator you have to trust with your secrets. Everything about how SnapSend handles data client-side is documented on the security page.

Common mistakes that quietly kill entropy

  • Reusing a "strong" password everywhere. A 100-bit password is worthless if one breached site leaks it and you used it on twelve others. Credential-stuffing attacks exist precisely because reuse is universal.
  • Human-chosen "random" characters. Keyboard patterns (qwerty, 1qaz2wsx), leetspeak swaps, and appending 2024! are all in the standard cracking rulesets.
  • Personal data as a base. Pet names, kids' birthdays, and sports teams are the first thing a targeted attacker tries โ€” much of it is scrapeable from social media.
  • Trusting length alone. Password1234567890 is long and worthless. Length only counts when the content is unpredictable.
  • Short PINs on high-value accounts. A 4-digit PIN is ~13 bits. Fine when hardware rate-limits guesses; catastrophic anywhere it doesn't.

Don't memorize โ€” manage

You cannot memorize a unique 16-character random password for 200 accounts, and you shouldn't try. The realistic system is:

  1. Memorize exactly one strong passphrase โ€” five or six random words โ€” as your master password.
  2. Let a password manager (Bitwarden, 1Password, KeePassXC) generate and store a unique random password for every other account. We make the full case for this in why you should use a password manager.
  3. Turn on two-factor authentication on the manager and on anything that supports it, so a leaked password alone can't unlock the account. See why 2FA matters.

This flips the problem: instead of 200 weak passwords you can remember, you have 200 uncrackable ones you never need to.

Sharing a password without wrecking it

A perfectly generated password loses all its strength the moment you paste it into a chat message, an email, or a shared doc that lives forever. Email in particular is a bad channel โ€” we cover the reasons in why email is the worst place for passwords.

When you genuinely have to hand a credential to someone else, use a one-time, self-destructing link instead of a persistent copy. SnapSend's send a password securely flow encrypts the secret in your browser and destroys it after a single view, so it never sits in an inbox waiting to be found.

Quick checklist

  • [ ] Master password: 5โ€“6 random words, memorized, used nowhere else.
  • [ ] Everything else: unique, 16+ random characters, stored in a password manager.
  • [ ] Generated by a CSPRNG-backed tool โ€” never invented by hand.
  • [ ] 2FA enabled on the manager and every account that offers it.
  • [ ] Passwords shared via one-time encrypted links, never pasted into chat or email.

Generate one now

If you take one action from this, make it this: stop inventing passwords in your head. Open the SnapSend password generator, switch to passphrase mode, and create something with real entropy โ€” it runs entirely in your browser, no account required.