GUIDE

Why a Memorable Code Beats a Random One for Client Handoffs

Photographers, freelancers, and anyone handing files to non-technical clients — a 3-word code is what makes the difference between "did you get it?" and "yes, opening now."

2026-05-13 · EN/KO

A photographer once told me: "Half my support emails are clients spelling letters wrong." She sent wedding galleries through a transfer service that generated codes like XK4N-29WP-T7QB, and the bride's grandmother would come back two days later with "is it XK4 or XQ4? And the 9, is it a 9 or a Q?"

Random codes are great for entropy and terrible for human beings. When the recipient is non-technical, every character is a place where the handoff can fail silently. A "memorable" code replaces the random string with a small phrase of common words: instead of 4Q7T-XR2B-91WK, the gallery is at FT-MEADOW-COPPER-LIGHT. The same gallery, the same security model, but a handoff that can be done over the phone in ten seconds and remembered without writing anything down.

When memorable codes are better

Photographer / videographer delivering to clients who aren't developers.
Live events — "Anyone who wants the bonus material, go to file-tunnel-dot-site and type FRIDAY-RAVEN-PINE." Said out loud, scribbled on a whiteboard, remembered after one hearing.
Coaching / consulting — sending a custom deliverable to a client mid-call. Dictate the code, they receive immediately.
Older relatives — "Mom, the photos are at three words. Write them down: MAPLE LANTERN HEDGE."
Hand-off during a phone call where neither side has the chat app open.

When random codes are better

Programmatic access — CI/CD scripts, API integrations. A random string is easier to copy programmatically and harder to confuse with shell syntax.
Adversarial environments where you actively don't want the code to be guessable from context. A random code is opaque.
Very high-frequency use — the random code generator handles collision risk more aggressively across thousands of simultaneous transfers.

How the memorable code stays secure

A three-word phrase from a 1,024-word list gives you about 30 bits of entropy — roughly a billion combinations. That's about the same as a 6-character password from the 62-character keyspace, with one critical difference: memorable codes live for hours or days, not forever. Brute-forcing a code at the relay would require billions of guesses in a window where the relay sees you guessing, rate-limits the source IP, and the code expires.

For most real-world threat models — random Internet people trying URLs at scale — the relevant defenses are:

Short expiry closes the window.
Rate limiting at the relay caps guesses per IP per hour.
Optional password protection (Pro) means even a guessed code is useless without the separate passphrase.

Combined, brute-forcing a memorable code in a 24-hour window is not a credible attack against this product. If you're sending something where it would be — say, the keys to a treasury — that content shouldn't be in a one-step click-and-grab channel anyway. Layer in client-side encryption.

How to enable a memorable code

Activate Pro Pass on the device you're sending from.
On the Send tab, open the settings panel.
Toggle Memorable code on. (Greyed out for free users — that's the upgrade lever.)
Pick your expiry. For verbal handoffs, 1 hour is usually right.
Click Open the tunnel. You'll see a code like FT-MEADOW-COPPER-LIGHT instead of the random one.

A field-tested phrasing for over-the-phone delivery

The trick to verbal code handoff is to use a consistent script every time. Mine:

"OK, your code is three words at file-tunnel-dot-site. F as in foxtrot, T as in tango, dash, then three words. Meadow. Copper. Light. Type them in capital letters, but the site lowercases automatically. Got it?"

The "F as in foxtrot" intro is half a second of work but prevents the "wait, was that F or S?" followup. The lowercase reassurance prevents a different followup. Two short phrases, thousands of saved seconds across a year of client deliveries.

For photographers specifically

The workflow that emerged from a season of weddings:

Edit, package, zip into a single folder.
Open File Tunnel, pick the zipped gallery, set expiry to 7 days (Pro), turn on memorable code.
Send the code in three places: the WhatsApp / KakaoTalk group, the email contract footer, and SMS to the contact person.
Wait. Watch the connection count tick up over the next 24 hours as relatives discover it.
Tunnel auto-closes at day 7. No follow-up required.

Compared to a dropbox link that lives forever and gets shared sideways into family chats you didn't consent to, this scales cleaner.

Frequently asked questions

Are memorable codes case-sensitive?+

No. The receive form lowercases and accepts any combination of uppercase and lowercase. Hyphens are optional too — FT-MEADOW-COPPER-LIGHT and ftmeadowcopperlight both work.

What if two transfers get the same memorable code?+

The server generates codes against a uniqueness check; the rare collision triggers automatic regeneration. You never see a duplicate.

Can I pick my own words?+

Not yet. The server-side word list is curated to avoid homophones, profanity, and ambiguous spellings. Custom codes are on the roadmap once we are confident we can prevent obvious abuse.

Are the words language-dependent?+

The list is currently English words selected for ease of pronunciation across languages. Korean speakers using a Korean keyboard can type them in either case without trouble.

Is this less secure than the random codes?+

About the same in practice. The random codes have more raw entropy, but neither is meant to survive a year-long offline brute force. Both rely on short expiry, rate limiting, and (for sensitive payloads) password protection.

Try it now

Open File Tunnel and send a real file. It's free up to 10 GB.