There’s two things that make a password good: You need to be able to use it, and nobody else should be able to guess it.

Clearly, on the first point, most humans are more likely to remember three words than they are to remember a list of random characters.

However, guessability is still a factor.

…

The way we measure guessability is called “entropy”; and it’s basically a measure of how many possible passwords exist using the rule you use. As a simple example, a 4-digit PIN has 10 000 possibilities for what it could be. Normally, we measure this in “bits” – the number of bits you need to encode every possible password using your system: this works because adding a character multiplies the combinations available, but because of how bits work, it only adds bits. That 4-digit PIN has about 14 bits of entropy.

A password that uses the 36 “normal” keys on the keyboard (a-z, 1-0) plus their shifted variants (A-Z, !-) ) has 72 combinations per character – or about 6.17 bits per character. With a 8-character password, it has about 49.36 bits of entropy.

If you have a list of 100 000 words, one word has an entropy of about 16.6 bits – meaning three words gets us to 49.8 bits of entropy: slightly less guessable.