Others have addressed the “three random words” part, but I just wanted to point out that what most people use for non- alphanumerics is anything but “a load of random characters.” For example, in order to meet the “special characters” requirement, people who make up their own passwords inevitably use something like “p4$$w0rd” or whatever. For the purposes of entropy/complexity this is indistinguishable from using “password”. Most established “password rules” are pretty much security theatre. (I’m looking at you, “disable paste into password fields”)