The UK National Cyber Security Center would like to politely remind you that three random words are a good secure password. Why can I tell you? Because everything, more and more, wants you to have a unique account and password for your service.
Citing various ideas such as duration, impact, novelty, and usability as reasons for choosing three-word passwords, the NCSC recommends a three-word password, as it ignores some of the more common ways criminals erase passwords. These are things like simple words with predictable substitutions (5 for S or! For 1) and brute force techniques that rely on shorter passwords to succeed. “The stereotypical password is a single word or dictionary name, with predictable character replacements,” says the NCSC.
Instead, a three-word password is something you can realistically remember or store in a secure location, such as a password manager. It is also easy to adopt and modify according to the requirements of different sites, instead of generating random strings of characters.
You can read the full post on the value of the three-word password, or password, on the NCSC website. It’s a pretty accessible breakdown.
The three-word password is one of the NCSC's most popular topics, apparently even about five years after he first wrote about it. The blog’s recent post revisits the idea in light of developments since then and concludes that, yes, it’s still good.
The NCSC is a UK government entity that exists to investigate, combat and raise awareness about cybersecurity issues. They work with national and global partners on these issues.