You remembered wrong: it’s four random words that can be stronger in most modern password standards, not three. The analysis works the same way, however, as you’ll see:

Let’s begin by assuming an attacker is using a brute force attack — they want to crack your password by trying random combinations — however they know beforehand, or made a lucky guess, which style of password to try first (between 4-word or random-letter).

[Most adult English speaker’s vocabulary is 20k words](https://wordcounter.io/blog/how-many-words-does-the-average-person-know). (The 42k number there is a survey in Belgium — no country in the “core” Anglosphere will have an adult vocab that high.) Tweens and teens may have a smaller vocab of 10–15k, and that’s also what I’ve used as a rule of thumb for an adult’s “daily vocabulary”. So to begin with, then, we’ll set the number of available 4-word passwords for this English-speaking adult is 15000^4 or ~5.1 x 10^16.

For any random password standard, [Wheeler & Winburn ch. 6 “Best Practices”](https://www.sciencedirect.com/topics/computer-science/character-password) (should be top right summary — this is the only open-access link) say there are 95 characters available in passwords, and a minimum length of 8 characters should be enforced, giving 95^8 or 7 x 10^15 combinations at minimum.

The 4-word password thus has more combinations than the 8-character password. It’s a bit unrealistic since most websites have longer password requirements. However, it’s also unrealistic because attackers can’t practically use this brute force on even 8-character passwords — they instead make (usually correct) assumptions that most people who create their own “strong” or “random” alphanumeric jumble-looking passwords simply switch up letters in common words. The expected attack time on each password type — this time 4 words compared to an alphanumeric password with up to 16 characters — is given a brief-but-technical illustrated breakdown in [xkcd 936](https://xkcd.com/936/).

You remembered wrong: it’s four random words that can be stronger in most modern password standards, not three. The analysis works the same way, however, as you’ll see:

Let’s begin by assuming an attacker is using a brute force attack — they want to crack your password by trying random combinations — however they know beforehand, or made a lucky guess, which style of password to try first (between 4-word or random-letter).

[Most adult English speaker’s vocabulary is 20k words](https://wordcounter.io/blog/how-many-words-does-the-average-person-know). (The 42k number there is a survey in Belgium — no country in the “core” Anglosphere will have an adult vocab that high.) Tweens and teens may have a smaller vocab of 10–15k, and that’s also what I’ve used as a rule of thumb for an adult’s “daily vocabulary”. So to begin with, then, we’ll set the number of available 4-word passwords for this English-speaking adult is 15000^4 or ~5.1 x 10^16.

For any random password standard, [Wheeler & Winburn ch. 6 “Best Practices”](https://www.sciencedirect.com/topics/computer-science/character-password) (should be top right summary — this is the only open-access link) say there are 95 characters available in passwords, and a minimum length of 8 characters should be enforced, giving 95^8 or 7 x 10^15 combinations at minimum.

The 4-word password thus has more combinations than the 8-character password. It’s a bit unrealistic since most websites have longer password requirements. However, it’s also unrealistic because attackers can’t practically use this brute force on even 8-character passwords — they instead make (usually correct) assumptions that most people who create their own “strong” or “random” alphanumeric jumble-looking passwords simply switch up letters in common words. The expected attack time on each password type — this time 4 words compared to an alphanumeric password with up to 16 characters — is given a brief-but-technical illustrated breakdown in [xkcd 936](https://xkcd.com/936/).

You remembered wrong: it’s four random words that can be stronger in most modern password standards, not three. The analysis works the same way, however, as you’ll see:

Let’s begin by assuming an attacker is using a brute force attack — they want to crack your password by trying random combinations — however they know beforehand, or made a lucky guess, which style of password to try first (between 4-word or random-letter).

[Most adult English speaker’s vocabulary is 20k words](https://wordcounter.io/blog/how-many-words-does-the-average-person-know). (The 42k number there is a survey in Belgium — no country in the “core” Anglosphere will have an adult vocab that high.) Tweens and teens may have a smaller vocab of 10–15k, and that’s also what I’ve used as a rule of thumb for an adult’s “daily vocabulary”. So to begin with, then, we’ll set the number of available 4-word passwords for this English-speaking adult is 15000^4 or ~5.1 x 10^16.

For any random password standard, [Wheeler & Winburn ch. 6 “Best Practices”](https://www.sciencedirect.com/topics/computer-science/character-password) (should be top right summary — this is the only open-access link) say there are 95 characters available in passwords, and a minimum length of 8 characters should be enforced, giving 95^8 or 7 x 10^15 combinations at minimum.

The 4-word password thus has more combinations than the 8-character password. It’s a bit unrealistic since most websites have longer password requirements. However, it’s also unrealistic because attackers can’t practically use this brute force on even 8-character passwords — they instead make (usually correct) assumptions that most people who create their own “strong” or “random” alphanumeric jumble-looking passwords simply switch up letters in common words. The expected attack time on each password type — this time 4 words compared to an alphanumeric password with up to 16 characters — is given a brief-but-technical illustrated breakdown in [xkcd 936](https://xkcd.com/936/).

[Relevant xkcd](https://xkcd.com/936/) which I can almost guarantee has been posted already.

One of the biggest things that makes a password secure is length. Hackers aren’t sitting there trying a bunch of individual passwords, and changing an i for a 1 will trick them. So, by using a bunch of words, you make something that’s easy to type (because we’re used to typing actual words) and is also fairly straightforward to remember.

This means you don’t have to write it down somewhere, which is the other thing that makes passwords less secure. Without actually reading that comic again, I can remember that the words used are “horse battery staple correct”. I can’t remember the exact order, but I don’t think I’ve actually looked at the comic for about 5 years, so I’ve got a much better chance of getting it right that I do the awkward spelling of troubador.

[Relevant xkcd](https://xkcd.com/936/) which I can almost guarantee has been posted already.

One of the biggest things that makes a password secure is length. Hackers aren’t sitting there trying a bunch of individual passwords, and changing an i for a 1 will trick them. So, by using a bunch of words, you make something that’s easy to type (because we’re used to typing actual words) and is also fairly straightforward to remember.

This means you don’t have to write it down somewhere, which is the other thing that makes passwords less secure. Without actually reading that comic again, I can remember that the words used are “horse battery staple correct”. I can’t remember the exact order, but I don’t think I’ve actually looked at the comic for about 5 years, so I’ve got a much better chance of getting it right that I do the awkward spelling of troubador.

[Relevant xkcd](https://xkcd.com/936/) which I can almost guarantee has been posted already.

One of the biggest things that makes a password secure is length. Hackers aren’t sitting there trying a bunch of individual passwords, and changing an i for a 1 will trick them. So, by using a bunch of words, you make something that’s easy to type (because we’re used to typing actual words) and is also fairly straightforward to remember.

This means you don’t have to write it down somewhere, which is the other thing that makes passwords less secure. Without actually reading that comic again, I can remember that the words used are “horse battery staple correct”. I can’t remember the exact order, but I don’t think I’ve actually looked at the comic for about 5 years, so I’ve got a much better chance of getting it right that I do the awkward spelling of troubador.

Others have addressed the “three random words” part, but I just wanted to point out that what most people use for non- alphanumerics is anything but “a load of random characters.” For example, in order to meet the “special characters” requirement, people who make up their own passwords inevitably use something like “p4$$w0rd” or whatever. For the purposes of entropy/complexity this is indistinguishable from using “password”. Most established “password rules” are pretty much security theatre. (I’m looking at you, “disable paste into password fields”)

Others have addressed the “three random words” part, but I just wanted to point out that what most people use for non- alphanumerics is anything but “a load of random characters.” For example, in order to meet the “special characters” requirement, people who make up their own passwords inevitably use something like “p4$$w0rd” or whatever. For the purposes of entropy/complexity this is indistinguishable from using “password”. Most established “password rules” are pretty much security theatre. (I’m looking at you, “disable paste into password fields”)

Others have addressed the “three random words” part, but I just wanted to point out that what most people use for non- alphanumerics is anything but “a load of random characters.” For example, in order to meet the “special characters” requirement, people who make up their own passwords inevitably use something like “p4$$w0rd” or whatever. For the purposes of entropy/complexity this is indistinguishable from using “password”. Most established “password rules” are pretty much security theatre. (I’m looking at you, “disable paste into password fields”)

There are 26 letters in the alphabet, you can combine 10 of them in ~140 trillion different ways. There are ~170,000 English words currently in use, you can combine 3 of them in ~5 quadrillion different ways.

Remembering 3 words is a lot *easier* than remembering 10 letters, while also being a lot more *secure*.