You remembered wrong: it’s four random words that can be stronger in most modern password standards, not three. The analysis works the same way, however, as you’ll see:

Let’s begin by assuming an attacker is using a brute force attack — they want to crack your password by trying random combinations — however they know beforehand, or made a lucky guess, which style of password to try first (between 4-word or random-letter).

[Most adult English speaker’s vocabulary is 20k words](https://wordcounter.io/blog/how-many-words-does-the-average-person-know). (The 42k number there is a survey in Belgium — no country in the “core” Anglosphere will have an adult vocab that high.) Tweens and teens may have a smaller vocab of 10–15k, and that’s also what I’ve used as a rule of thumb for an adult’s “daily vocabulary”. So to begin with, then, we’ll set the number of available 4-word passwords for this English-speaking adult is 15000^4 or ~5.1 x 10^16.

For any random password standard, [Wheeler & Winburn ch. 6 “Best Practices”](https://www.sciencedirect.com/topics/computer-science/character-password) (should be top right summary — this is the only open-access link) say there are 95 characters available in passwords, and a minimum length of 8 characters should be enforced, giving 95^8 or 7 x 10^15 combinations at minimum.

The 4-word password thus has more combinations than the 8-character password. It’s a bit unrealistic since most websites have longer password requirements. However, it’s also unrealistic because attackers can’t practically use this brute force on even 8-character passwords — they instead make (usually correct) assumptions that most people who create their own “strong” or “random” alphanumeric jumble-looking passwords simply switch up letters in common words. The expected attack time on each password type — this time 4 words compared to an alphanumeric password with up to 16 characters — is given a brief-but-technical illustrated breakdown in [xkcd 936](https://xkcd.com/936/).