Only because the user can remember three random words more easily than 12-15 random characters. A totally random password is harder to crack, but it does no good if the user can’t remember it and has to write it down or reverts to 12345 because he cannot access his device or files.

On the contrary there is a difference. It IS better to use random characters because while brute force techniques still have just as many characters to run through, this process can be sped up using rainbow tables or just plain dictionary files which significantly speed up the process.

There’s two things that make a password good: You need to be able to use it, and nobody else should be able to guess it.

Clearly, on the first point, most humans are more likely to remember three words than they are to remember a list of random characters.

However, guessability is still a factor.

…

The way we measure guessability is called “entropy”; and it’s basically a measure of how many possible passwords exist using the rule you use. As a simple example, a 4-digit PIN has 10 000 possibilities for what it could be. Normally, we measure this in “bits” – the number of bits you need to encode every possible password using your system: this works because adding a character multiplies the combinations available, but because of how bits work, it only adds bits. That 4-digit PIN has about 14 bits of entropy.

A password that uses the 36 “normal” keys on the keyboard (a-z, 1-0) plus their shifted variants (A-Z, !-) ) has 72 combinations per character – or about 6.17 bits per character. With a 8-character password, it has about 49.36 bits of entropy.

If you have a list of 100 000 words, one word has an entropy of about 16.6 bits – meaning three words gets us to 49.8 bits of entropy: slightly less guessable.

There’s two things that make a password good: You need to be able to use it, and nobody else should be able to guess it.

Clearly, on the first point, most humans are more likely to remember three words than they are to remember a list of random characters.

However, guessability is still a factor.

…

The way we measure guessability is called “entropy”; and it’s basically a measure of how many possible passwords exist using the rule you use. As a simple example, a 4-digit PIN has 10 000 possibilities for what it could be. Normally, we measure this in “bits” – the number of bits you need to encode every possible password using your system: this works because adding a character multiplies the combinations available, but because of how bits work, it only adds bits. That 4-digit PIN has about 14 bits of entropy.

A password that uses the 36 “normal” keys on the keyboard (a-z, 1-0) plus their shifted variants (A-Z, !-) ) has 72 combinations per character – or about 6.17 bits per character. With a 8-character password, it has about 49.36 bits of entropy.

If you have a list of 100 000 words, one word has an entropy of about 16.6 bits – meaning three words gets us to 49.8 bits of entropy: slightly less guessable.

There’s two things that make a password good: You need to be able to use it, and nobody else should be able to guess it.

Clearly, on the first point, most humans are more likely to remember three words than they are to remember a list of random characters.

However, guessability is still a factor.

…

The way we measure guessability is called “entropy”; and it’s basically a measure of how many possible passwords exist using the rule you use. As a simple example, a 4-digit PIN has 10 000 possibilities for what it could be. Normally, we measure this in “bits” – the number of bits you need to encode every possible password using your system: this works because adding a character multiplies the combinations available, but because of how bits work, it only adds bits. That 4-digit PIN has about 14 bits of entropy.

A password that uses the 36 “normal” keys on the keyboard (a-z, 1-0) plus their shifted variants (A-Z, !-) ) has 72 combinations per character – or about 6.17 bits per character. With a 8-character password, it has about 49.36 bits of entropy.

If you have a list of 100 000 words, one word has an entropy of about 16.6 bits – meaning three words gets us to 49.8 bits of entropy: slightly less guessable.