The UK's National Cyber Security Centre would like to politely remind you that three random words are a good, secure password. Why am I telling you this? Because everything, increasingly, wants you to have a unique account and password for its service.
Citing several ideas like length, impact, novelty, and usability as reasons to choose three-word passwords, the NCSC recommends a three-word password because it bypasses some of the most common ways that criminals crack passwords. These are things like single words with predictable substitutions (5 for S, or ! for 1) and brute-force techniques that rely on shorter passwords to succeed. "The stereotypical password is a single dictionary word or name, with predictable character replacements," says the NCSC.
In contrast, a three-word password is something you can realistically remember or store in a secure location like a password manager. It's also easy to adopt and modify for different sites' requirements, as opposed to generating random strings of characters.
You can read the full post on the value of the three-word password, or passphrase, on the NCSC website. It's a pretty accessible breakdown.
The three-word password is one of the NCSC's most popular topics, apparently, even some five years after it first wrote on the topic. The recent blog post revisits the idea in light of developments since then and concludes that, yep, it's still a good one.
The NCSC is a UK government entity that exists to research, fight, and raise awareness of cyber security issues. They work with global and domestic partners on these issues.
