It’s based on the hypothesis that the hacker would try to brute force it using every possible string by testing all characters starting with the shortest string.

If the hacker guess you’re using a group of words because it’s getting common, then he can try a group of 3 words in the 2000 most common words, and now they have only 8 billions combination. Around the same as 5 ASCII characters.

So 3 words is very bad if it gets common. It only works if no hacker think you could possibly do that. Since many people suggest that, that’s most likely a terrible idea.